Discussion stats
  • 10 replies
  • 3233 views
  • 4 kudos
  • 6 in conversation
Announcements

Top Contributors
Reply
Highlighted
Aspirant

Message on printer...is this some sort of hack?

This message was on my printer this morning...anyone know what this means?

 

I have a Nighthawk R7000P with Armor activated.

 

# GET / HTTP/1.1

Host: Internet address

Accept: */*

User-Agent: python-requests/2.9.1

Connection: keep-alive

Accept-Encoding: gzip, deflate

Message 1 of 11
Highlighted
Guru

Re: Message on printer...is this some sort of hack?

Could be any vulnerable scanner testing the printer port for the presence of a Web server service. However, good scanner don't hide behind a generic "User-Agent: python-requests/2.9.1" ...

 

# GET / HTTP/1.1

Host: Internet address

Accept: */*
...

 

What is the Internet address is shown (printed) here?

Message 2 of 11
Highlighted
Aspirant

Re: Message on printer...is this some sort of hack?

The Host Internet address on the printed message is not the same as my router IP address....would this mean that the Host address is the IP address from which this message is coming from?

Message 3 of 11
Highlighted
Guru

Re: Message on printer...is this some sort of hack?

Is it a private LAN (RFC 1918) address - assumingly from your own LAN (don't worry, millions of installations make use of these, so there would be nothing wrong to post) - probably of a system where you have installed Bitdefender for example?

Message 4 of 11
Highlighted
Aspirant

Re: Message on printer...is this some sort of hack?

  Actually it’s very close to my IP address...beginning with 192.  Is it possible that this is related to Bitdefender....this started soon after installing Armor on my system...

Message 5 of 11
Highlighted
Guru

Re: Message on printer...is this some sort of hack?

Of course, the Armor (Bitdefender) does run some vulnerability tests over all network devices discovered - so this is most likley an IP address of a machine where you have installed it.

 

And again, you can post these 192.168.x/24 addresses - we're all using the same (except those which are on the 10/8 prefix or in the 172.16/12 prefixes.

Message 6 of 11
Highlighted
Initiate

Re: Message on printer...is this some sort of hack?

I have two printers attached to the router and since the "trial version" of the NETGEAR's ARMOR was installed, about 40 pages of copier paper have been trashed! Each "cycle" uses five pages. The first page is a six lines message that starts with the GET / HTTP/1.1 line. By the fifth page, it is a one liner of a few ASCII characters?! "Nice" feature NETGEAR!

Message 7 of 11
Highlighted
Guru

Re: Message on printer...is this some sort of hack?


@TIRESIAS wrote:

I have two printers attached to the router and since the "trial version" of the NETGEAR's ARMOR was installed, about 40 pages of copier paper have been trashed! Each "cycle" uses five pages. The first page is a six lines message that starts with the GET / HTTP/1.1 line. By the fifth page, it is a one liner of a few ASCII characters?! "Nice" feature NETGEAR!


Typical behavior when doing fingerprinting and security tests on open ports trying for a Web server. Depending on the vulnerability checks run, e.g. some CGI and/or overflow tests, some "specific" code is sent to these ports, what can lead to random output - or worst case it can make the printer port hang or lock up.

 

That's the "fun" when dealing with automated and scheduled vulnerability testing. Netgear resp. Bitdefender has to find way to exclude some devices (by IP, by MAC) from the regular "attacks". @Christian_R  please push this forward to the Armor and Bitdefender teams.

Message 8 of 11
Highlighted
Aspirant

Re: Message on printer...is this some sort of hack?

It's happening to me too. Definitely the Netgear armor on my orbi network.
Message 9 of 11
Highlighted
NETGEAR Moderator

Re: Message on printer...is this some sort of hack?

Hi @Lionkill, this has been reported to engineering and is currently being worked on. We will provide an update once available.

 

Dexter

Message 10 of 11
Highlighted
Aspirant

Re: Message on printer...is this some sort of hack?

so in the meantime I have disabled Armor.

Message 11 of 11