You can make a difference in the Apple Support Community!
When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.
When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.
Our printer just spontaneously printed out two sheets of paper.
The first had this on it: "ö☺<de=♠IEEEMlsqlexec♠9.280"
And the second sheet had this on it: "RDS\#R000000♣sqli☺3☺♣nmap♣nmapol=tlitcp☺h"
Can anyone help me figure out what this might indicate?
Same, only the "ö☺<de=♠IEEEMlsqlexec♠9.280" though...
Second page was blank.
Brother HL-5050, connected to AP Extreme, shared to 2 macs. Since the printing, my printer has stayed on, ready to print status, usually it turns off by itself after 10-15 min or so...
I'm going to guess that the common theme here is that we're all forwarding port 9100 or 631 to our printer to allow ourselves to print from outside the network, which sets up an HTTP server at that address open to the internet. All it takes is for somebody to put the appropriate GET request in, but the SQL attack wouldn't be very useful on a printer.
It doesn't say "sqlite3," it says "sqli."
"3. What is SQLI ?
We know Some About SQL and Vulnerability.. Now you think What is this SQLI.. I Stands for Injection , Inject. This is Not a Injection Of Doctor’s.. But it Work as a Real Injection .. Ok.. leave this Crap thing..
Now Actually What is Injection .. Injection means inject… Injection Inject the Database through Vulnerability. and Leech the Data From Database.Now your have Question in Your Mind that Why We Use .. SQLI…
We learn Injection Inject the Database But how.. It Use the SQL Command to Inject a Database.. that this is Know as SQLi.. Now one another Question Which type of Command .. But Don’t worry .. Because here We use Basic Command Like Union ,Select, Group by etc.. Now you Know What is SQL,SQLI, or Injection..
Now You think We Know Vulnerability,,SQLi but ..How We find that What is the Format Of Vulnerability.. bla bla bla .. ok .ok .. See here . Basically in the SQLI .. the Format Of Vulnerable String is like this… "
It happened here too. First my Brother HL-5370 printed it, then about 10 minutes later, my HP OfficeJet 7310 printed a slightly different string. They both have the "IEEEMlsqlexec" in common.
Both of our printers have public IP addresses, with the Brother is a bit higher (x.x.x.05) than the HP (x.x.x.02). Looks like somebody is methodically testing addresses, looking for exploitable machines. Our web servers are higher up and none appear to have been hacked, so I'm guessing (hoping) OS X is impervious to this particular attack.
My understanding is "sqlexec()" is some kind of function for Microsoft SQL... or am I looking at a wrong place? If it actually is a hacker trying to attack, do you think it's targeting OS X or affect in anyway? What should we do to prevent any further problems?
My printer just did it again and woke me up! I actually had my Mac disconnected from the network as I was getting paranoid so can't be an OS X thing.
I have my printer connected via an Airport Express and just disabled Back to My Mac on the router, wonder if this will stop it happening again? Do you guys also have this enabled on your Airports?
Ours has done the same thing 3 times this weekend. the printout we had was ö<de=IEEEMlsqlexec9.280.
Our printer is an Epson PX730WD and I have printed 2 pictures wirelessly from my iPhone 4 ?????
What's going on here
It is possible that nmap is scanning for server information. It is worth noting that RDS, sqlexec, and tlitcp are associated with the Informix DBMS. nmap includes an Informix library (and many others).
I suspect such scans on open ports are not unusual.
I too have had this problem.
I've reported the problem on the HP forums but all I got was this canned response...
http://h30434.www3.hp.com/t5/Printing-Issues-Troubleshooting/Random-strings-prin ted/td-p/1778381
You'd think HP might take a potential security issue seriously.
It would be advisable for anyone experiencing this issue to give a list of installed apps, to confirm that it is not a rogue app scanning your network from your device. If everyone experiencing the issue has a certain app installed, it may point to the issue.
What Operating system are you using? i.e. win 7 Home premium 64 bits.
This is the main support page for your printer, keep in your bookmark if you need to refer to it in a latert time.
http://h10025.www1.hp.com/ewfrf/wc/product?cc=us&dlc=en&lc=en&product=5063582&su bmit=&
Go to software and drivers download and select your operating system. You should also upgrade the firmware of the printer. if an upgrade is available.
After that if you still facing this issue, Please follow this link www.hp.com/go/tools. Download and use the HP Print and scan doctor, It will check for problems of the different functionality Printing, Scanning and connectivity fixing most of them, if the utility cannot fix the issue let me know I will give my best effort to provide other troubleshooting steps and help you with your issue.
HTH
Original Post - http://h30434.www3.hp.com/t5/Printing-Issues-Troubleshooting/Random-strings-prin ted/td-p/1778381
Thanks
Jagdish Chichria
Hi,
I'd say you're almost definitely correct with that. If the printers are listening on the Internet (have a public IP address) then they will get contacted by port scanners.
I use NMAP in my day job and I always make a point of avoiding fully scanning network printers as it tends to make them spit out large numbers of pages with odd characters on them.
the sqli and similar strings that people in this thread are seeing are likely from nmap probes looking to fingerprint the device.
If you want to reproduce it, doing nmap -A -v -n <my_ip_address_here> should work ok.
If you do have your printers listening on the Internet I'd recommend putting them behind a firewall as whilst nmap scans are not malicious in and of themselves they can be used by people with malicious intent.
A computer security tool called nmap was used on the public network you use (Cable, DSL, FiOS, etc.). While scanning ports, and sending prob strings to open ports, your public IP had an open port from Internet to your Printer. What you are seeing on the printout is a string attempting to prop SQLi port, but instead, ALL DATA RECEIVED ON PORT FORWARDED DIRECTLY TO PRINTER OUTPUT. That is, anything sent to that port of your public IP address gets printed.
Ask yourself: Do I have printing available from my iPhone or Android device? Did I install special software when I got my printer to do "printing from the web" on my computer? Did I enable printing from iCloud?
These are signes that your printer is just hanging off the public internet and anyone can send junk to your printer and it will print!
Interesting...I got a hit the other day from an IP address originating in Thailand (WHOIS query showed me who owned the range) that attempted to access my mysqld... Pass my firewalls and everything. LittleSnitch was what alerted me.
I'll be watching this thread
- MattD
I have so far been unable to replicate the fault by using nmap externally on my IP range and as far as I'm aware my router doesn't have any ports open to my router.
Just because this is an "ePrint" printer and it's "in the cloud" it does not mean the same thing as "publicly accessible".
Has anyone else been able to replicate this problem yet?
Our printer just spontaneously printed two strings...
