The rise of the printers
Yesterday, Andrew Hay blogged about one of his printers generating really strange traffic: it was scanning the firewall and was trying to get to metasploit.com!
This reminded me of a similar case I had with one of our customers. A small write-up...
The customer could no longer send any emails. They discovered that their mailserver was blacklisted for sending SPAM, and called in our help.
We checked the mailserver, and there were indeed lots of emails going out. We searched further, and found 3 hosts that were sending excessive traffic the the mailserver: 3 HP multifunctional printers in 2 different physical locations in different subnets. We blocked the access from the printers to their mailserver on the inbetween firewall, they were removed from the blacklist, and their email problem was resolved.
But now we were still stuck with the massive amount of traffic the printers were sending towards the firewall, trying to reach the mailserver. We configured the printers so they could not send emails anymore, but this was not a permanent solution as they still wanted to be able to scan documents and have them delivered to their inboxes. We got in touch with HP Support, and they claimed that it is impossible for the printers to initiate traffic on their own, and that there should be another host somewhere on the network that instructs the printers to send said traffic.
Again, we went sniffing the network trying to find a host that was steering the printers, but alas nothing was found but 'normal' print jobs. Hearing this, HP still didn't seem to believe what was happening, and suggested to re-flash the printers and wipe the hard disks, and we did. But again, once connected back to the network and enabling the email service, the strange traffic reappeared.
We decided to take one of the printers out of the network, and connect it directly to a laptop. Sniffing on the laptop, we noticed that the printer immediately began ARPing for an address that is completely unrelated to this customer, and was found to be even located overseas. Searching further, the address belonged to a known spammer.
With this information, finally HP believed something was seriously wrong with the printers, and began investigating... and as far as I know today, after 3 months, they still are (yeah right), 'cause I never heard back from them since. And how 3 printers in 2 locations and different subnets all started this behavior at the exact same time... beats me!
This reminded me of a similar case I had with one of our customers. A small write-up...
The customer could no longer send any emails. They discovered that their mailserver was blacklisted for sending SPAM, and called in our help.
We checked the mailserver, and there were indeed lots of emails going out. We searched further, and found 3 hosts that were sending excessive traffic the the mailserver: 3 HP multifunctional printers in 2 different physical locations in different subnets. We blocked the access from the printers to their mailserver on the inbetween firewall, they were removed from the blacklist, and their email problem was resolved.
But now we were still stuck with the massive amount of traffic the printers were sending towards the firewall, trying to reach the mailserver. We configured the printers so they could not send emails anymore, but this was not a permanent solution as they still wanted to be able to scan documents and have them delivered to their inboxes. We got in touch with HP Support, and they claimed that it is impossible for the printers to initiate traffic on their own, and that there should be another host somewhere on the network that instructs the printers to send said traffic.
Again, we went sniffing the network trying to find a host that was steering the printers, but alas nothing was found but 'normal' print jobs. Hearing this, HP still didn't seem to believe what was happening, and suggested to re-flash the printers and wipe the hard disks, and we did. But again, once connected back to the network and enabling the email service, the strange traffic reappeared.
We decided to take one of the printers out of the network, and connect it directly to a laptop. Sniffing on the laptop, we noticed that the printer immediately began ARPing for an address that is completely unrelated to this customer, and was found to be even located overseas. Searching further, the address belonged to a known spammer.
With this information, finally HP believed something was seriously wrong with the printers, and began investigating... and as far as I know today, after 3 months, they still are (yeah right), 'cause I never heard back from them since. And how 3 printers in 2 locations and different subnets all started this behavior at the exact same time... beats me!
Labels: incident handling, infosec
Post a Comment