2554ci Randomly prints documents

Re: 2554ci Randomly prints documents

This is web code being sent to the printer, but in a very unusual fashion.

50.207.19.114 appears to be the printer and some 'host' is sending WEB code to the ALL OPEN TCP print ports IN ORDER. Someone may be war-driving the printer. (Wardriving involves attackers searching for wireless networks with vulnerabilities while moving around an area in a moving vehicle. )

The header of the printed document shows webcode being directed at the following addresses:
50.207.19.114:9100 is default printer port, the others are virtual printer ports for custom applications
50.207.19.114:9101
50.207.19.114:9102
50.207.19.114:9103

This is not normal and looks intrusive. Normally only port 9100 is used by Print Setup in most operating systems and only advanced users direct printers to ports 9101-9103

Are there other network connections to the machine?

I would set the WiFi Direct NOT to broadcast the SSID (if possible, I cannot check RN), change it, and make a note of it. Set up user to manually enter SSID for connections.

Re: 2554ci Randomly prints documents

Samanator - I sent you a PM regarding your issue.

Re: 2554ci Randomly prints documents

Now that I think about it, the Wifi direct sets up a different IP schema. Still a good idea to make it un-adverstised.

I am guessing it's a Wired connection and the traffic could be a security port scan.

Re: 2554ci Randomly prints documents

The random garbage printed only at the top of many of the pages reminds me of what you would get in days of yore when you sent a job to a dot matrix printer using a laser driver or visa versa. The entire output is what the printer is trying to decipher the job header. Also seen it with early document publishing software when a job was sent to early PCL printers using a PostScript driver. 20 pages isn't bad, I seen go hundreds of pages with just a few lines of garbage at the top of each page.

Re: 2554ci Randomly prints documents

It's certainly some kind of non-print data. The way that I stopped such prints was to enable job accounting, ignore jobs without valid job account. That does mean that your user will have to enter a job account ID to use the machine, but it is a small price to pay to exclude this type of non-print data. And the job account ID is programmable into the print driver.

Changing the IP will not help if whatever this data is, is broadcast to all IP's. IT support will insist that there is no non-print data hitting the machine's IP address, and I just never had the skills to prove otherwise. =^..^=

Re: 2554ci Randomly prints documents

Interesting read. Now I have more words to look up. =^..^=

Re: 2554ci Randomly prints documents

You are exactly right and let me finish that sentence as a rule:

"...send any data to the printer that it cannot interpret as print code"

Print code always starts with an 'emulation tag'...something that tells the printer what language the file is in.

!PS-Adobe, %-12345x, !R! are all tags we see telling the controller what language to interpret and which should appear in proper print files.

Without a TAG the controller will treat the data (bits) as ASCII text and print the literal data, not an interpreted image.

NOW while printer code has a lot of binary and special code date that renders as gibberish, most computer code is written in ASCII text, so if it's sent to the printer we see the actual code.

Here there is clearly and HTTP designation in the output, which could also be part of an XML SOAP transaction, a known exploit. There are also some other vulerabilities via web interface hacking I can't go into but they're ALL fixed in the latest firmware.

The methodical way it goes from port 9100 to 9101, 9102 could just be a port scan from some security device as I mentioned. Locking down the IP address to a static user helps avoid all this traffic, if you can.

Re: 2554ci Randomly prints documents

After all y'alls input, I went out to the location and turned off WiFi Direct. One of y'all PMed me with an observation that helped me to realize that WiFi Direct is most likely at the root of this problem.

When I set up a machine, I usually turn of WiFi and with Kyocera machines WiFi Direct. I only use WiFi when the customer absolutely requires it. I have found with Kyocera machines if a client wants air print (and they don't want to download the Kyocera app), the easiest solution for me is to turn on WiFi Direct and the customer is happy. No one has to make sure they are logged into the correct WiFi network. Just print and go. The big cheese at this company wanted to be able to air print from his phone. Hence, I turned on WiFi Direct and everything seemed to be fine....until.

So with WiFi Direct turn off, we will see. If the guy wants to print from his phone, he is going to have to make sure he is on the correct WiFi network.

Thanks again for all the input.