Ghost in the network (printer)

Forums › Desktop computing › Ghost in the network (printer)

rbis

15 posts

Geek
+1 received by user: 1

#302714 14-Dec-2022 09:07

My network attached printer has started spontaneously printing pages of rubbish.

Examples include:

GET / HTTP/1.1
Host: [REMOVED IP ADDRESS]:9100
Accept: */*
User-Agent: Mozilla/5.0 {Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTM

Connection: close

or:

GET / HTTP/1.0

or total gibberish, such as:

^$*+,01$U

or:

¥Ä@½¢"8yß,®±

Apart from making me feel guilty about wasting paper, it's very annoying! The problem seems to have materialised after a WINDOWS 10 reset on my main computer, and only occurs when this computer is connected to the network, but not necessarily when switched on.

any insights gratefully accepted - thanks in advance.

1 | 2

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3009755 14-Dec-2022 09:13

Nothing to do with Windows.

Do you have a Fuji Xerox ApeosPort-VII C3321 printer on your network?

The IP address on that message is exactly the same as the IP address you're posting from. This means your printer is visible on the Internet and anyone can access it.

I have edited your message to remove your IP address.

I guess you either created a port forward on your router to your printer, or the printer is configured to expose itself to the Internet by automatically creating a port forward using UPnP.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

rbis

15 posts

Geek
+1 received by user: 1

#3009756 14-Dec-2022 09:17

the latest development:

GET/ HTTP/1.1
Host: [IP REMOVED]:9100
Connection: keep-alive
Cache-Control: max-age=O
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTM
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image
Accept-Encoding: gzip, deflate
Accept-Language: en-NZ,en;q=0.9

richms

29098 posts

Uber Geek
+1 received by user: 10208

Trusted

Lifetime subscriber

#3009757 14-Dec-2022 09:18

Who's gonna send him goatse or something now?

Richard rich.ms

rbis

15 posts

Geek
+1 received by user: 1

#3009761 14-Dec-2022 09:27

Thanks BDFL - Memuneh

You are correct with identifying the printer.

The problem began after the Windows reset when I could print documents but was unable to receive scans from it. Technical support from FX got me to this point but it seems that something is still amiss. Do you have any suggests about setting ports on the printer or router?

cyril7

9073 posts

Uber Geek
+1 received by user: 2499

ID Verified

Trusted

Subscriber

#3009762 14-Dec-2022 09:28

richms:
Who's gonna send him goatse or something now?

Oh so tempting 😂

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3009763 14-Dec-2022 09:29

How did FX get you to this point? Did support suggest to change the router or printer configuration?

To fix this you will have to login to your router and delete any port forward there or uncheck the UPnP feature. If there's nothing there you will have to login to your printer and remove any UPnP setting there.

Once done, let us know so I can confirm.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Dell

Shop now for Dell laptops and other devices (affiliate link).

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3009764 14-Dec-2022 09:30

@rbis as it is, at the moment anyone can send anything to your printer by just using your IP address:

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

cyril7

9073 posts

Uber Geek
+1 received by user: 2499

ID Verified

Trusted

Subscriber

#3009766 14-Dec-2022 09:37

Hi Mauricio, I suggest you wave you magic wand and remove the IP address from public view again.

Cyril

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3009768 14-Dec-2022 09:42

cyril7:

Hi Mauricio, I suggest you wave you magic wand and remove the IP address from public view again.

Cyril

Done.

@rbis, please do not post the messages sent out by your printer again unless you remove the IP address. I have edited your second post to remove it.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3009777 14-Dec-2022 09:59

@rbis if there is no port forward or UPnP, then perhaps check that the printer IP address is not set as DMZ.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#3009781 14-Dec-2022 10:00

@rbis It looks like at some point you've added your printer to the DMZ of your router - does this seem familiar? I can see all standard printer ports exposed.

I was successfully able to add the printer to Windows, I have not attempted a print however. Until you remove your printer from the DMZ on your router (or simply factory reset your router) you should unplug your printer from the network + turn it fully off.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

cyril7

9073 posts

Uber Geek
+1 received by user: 2499

ID Verified

Trusted

Subscriber

#3009786 14-Dec-2022 10:15

Looks like he has taken the router offline now, I did manage to print a job, but its all off now, scary

Cyril

richms

29098 posts

Uber Geek
+1 received by user: 10208

Trusted

Lifetime subscriber

#3009788 14-Dec-2022 10:15

What did you print?

Richard rich.ms

cyril7

9073 posts

Uber Geek
+1 received by user: 2499

ID Verified

Trusted

Subscriber

#3009789 14-Dec-2022 10:17

Hi, an notice that his printer was exposed online and bad actors could compromise his network and to seek professional IT assistance.

Cyril

johno1234

3352 posts

Uber Geek
+1 received by user: 2843

#3009790 14-Dec-2022 10:19

michaelmurfy:

@rbis It looks like at some point you've added your printer to the DMZ of your router - does this seem familiar? I can see all standard printer ports exposed.

I was successfully able to add the printer to Windows, I have not attempted a print however. Until you remove your printer from the DMZ on your router (or simply factory reset your router) you should unplug your printer from the network + turn it fully off.

I'd disconnect from the network then reset to factory defaults for a start.

1 | 2