Weird prints after doing portforward to printer.

**keithxxiii** · 09-06-2018, 08:04 PM

Re: Weird prints after doing portforward to printer.

What machine models do you have?

Is postscript present on those devices?

Are the required ports open from network security of the machine?

**Phil B.** · 09-06-2018, 08:16 PM

Re: Weird prints after doing portforward to printer.

Originally posted by CloussiDee

Hi
We experience problems in general, with our Ricoh MFP's when setting them up for direct print, through the internet.
They randomly print out some pages, with "aCoockie: msthash=hello/administrator" - "get/http host : x.x.x.x Connection keep-alive" and other "commands".
My portforwaring are as follows:
TCP 515 (LPR/LPD) * 515 192.168.1.199:515
TCP Print Port 9100 RAW * 9100 192.168.1.199:9100
UDP 161 (SNMP) * 161 192.168.1.199:161
UDP 162 (SNMP Traps) * 162 192.168.1.199:162
I've have attached some of the documents for illustration.
What to do? Do I miss some ports, for communication? Or is it people from outside, who try to access it?
This particular machine, is only setup on 1 PC at the moment, so it's not a post script issue.
Thanks

has their IT people made sure those ports are active and not blocked?

**NeoMatrix** · 09-06-2018, 10:56 PM

Re: Weird prints after doing portforward to printer.

First post since 2017...
Does the computer code shown below help?

captcha2.png

**rthonpm** · 09-06-2018, 11:58 PM

Re: Weird prints after doing portforward to printer.

If you have those ports exposed to the public internet, it's likely that you're getting sniffers, infected machines looking for other things to spread to, and all kinds of other scanning tools hitting the ports which the MFP then interprets as a print job.

Is there some kind of reason you'd even consider exposing those ports? There's never a good reason to expose the ports as opposed to using a VPN service or some kind of remote access solution.

**KenB** · 09-07-2018, 12:36 AM

Re: Weird prints after doing portforward to printer.

I had a similar situation some years back.

While not exposed to the outside world, a machine was printing junk every so often, but at least a few times a day.

The customer was able to narrow it down to a few certain times, within a 5 minute or so window.

We ran Wireshark to monitor the traffic. Sure enough, we found the IP address of the source.

Turned out someone in the IT department had an old NT4 machine he had been experimenting with, but forgot about...problem found and solved.

**CloussiDee** · 09-11-2018, 06:51 AM

Re: Weird prints after doing portforward to printer.

Originally posted by keithxxiii

What machine models do you have?

Is postscript present on those devices?

Are the required ports open from network security of the machine?

It's happening on MPC5502, MPC2500 and MPC5000

The 5502 has postscript installed, not the other 2.

Ports are working fine - 2 Setups with a Linksys router, and the last on UBNT Unifi.

**CloussiDee** · 09-11-2018, 06:54 AM

Re: Weird prints after doing portforward to printer.

Originally posted by Phil B.

has their IT people made sure those ports are active and not blocked?

Yes, portsforwarding are ok - print/installation/status on the printers are also ok.

Like i replied on the last post - 2 setups with Linksys router and 1 on UBNT unifi. Same ports forwarded.

**CloussiDee** · 09-11-2018, 07:00 AM

Re: Weird prints after doing portforward to printer.

Originally posted by rthonpm

If you have those ports exposed to the public internet, it's likely that you're getting sniffers, infected machines looking for other things to spread to, and all kinds of other scanning tools hitting the ports which the MFP then interprets as a print job.

Is there some kind of reason you'd even consider exposing those ports? There's never a good reason to expose the ports as opposed to using a VPN service or some kind of remote access solution.

I'm aware that i'm exposing the ports - We started out with only port 9100, but that made some problems with status on the print/toner etc.

The reasen for this solution, is that we have 15 different users, who want to access the same printer, and they have 15 different ISP's. So local printing is not a solution.

**CloussiDee** · 09-11-2018, 07:05 AM

Re: Weird prints after doing portforward to printer.

Originally posted by KenB

I had a similar situation some years back.

While not exposed to the outside world, a machine was printing junk every so often, but at least a few times a day.

The customer was able to narrow it down to a few certain times, within a 5 minute or so window.

We ran Wireshark to monitor the traffic. Sure enough, we found the IP address of the source.

Turned out someone in the IT department had an old NT4 machine he had been experimenting with, but forgot about...problem found and solved.

Thanks for the input - Maybe that will be the solution.

My impression is though, that it is happening after using the "remote print". Sometimes several hours after.
Days where it is not used, we dont get any junk prints.

**rthonpm** · 09-11-2018, 11:49 AM

Re: Weird prints after doing portforward to printer.

Originally posted by CloussiDee

I'm aware that i'm exposing the ports - We started out with only port 9100, but that made some problems with status on the print/toner etc.

The reasen for this solution, is that we have 15 different users, who want to access the same printer, and they have 15 different ISP's. So local printing is not a solution.

A VPN is going to be a better option than opening ports to the public internet. You've already opened enough to the outside to have someone malicious send malformed print jobs to the machines (you've already seen evidence of port sniffers in action) or to pull information from them thanks to SNMP that could lead to a more advanced way of attacking or exfiltrating information from the machine, with the right commands even the address book is accessible via this protocol.

**CloussiDee** · 09-12-2018, 01:48 PM

Re: Weird prints after doing portforward to printer.

Originally posted by rthonpm

A VPN is going to be a better option than opening ports to the public internet. You've already opened enough to the outside to have someone malicious send malformed print jobs to the machines (you've already seen evidence of port sniffers in action) or to pull information from them thanks to SNMP that could lead to a more advanced way of attacking or exfiltrating information from the machine, with the right commands even the address book is accessible via this protocol.

Thanks - I'll try to convince them to put some hardware in between.

At the moment, the MFP, is the only thing connected to the router. No clients, servers, etc.

"ISP/Public IP" > "Linksys Router" > "Ricoh MFP"

Weird prints after doing portforward to printer.

Weird prints after doing portforward to printer.

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment