Potential compromise in the network

Sagar Belure

unread,

Oct 12, 2017, 8:43:48 AM10/12/17

to null-...@googlegroups.com

Hello,

Quick brief: There were some gibberish printed papers near my office printer. I give a closer look at them.

1. Surprisingly one of the paper had following content -

...snip...psfile="`/bin/ping -c 10 <ip>"...snip...

2. Some PJL commands -

12345X@PJL INFO ID

12345X

GGG12345X@PJL DMINFO ASCIIHEX="00000401010302"

12345X

...snip...

Which led me to https://discussions.apple.com/thread/4220060?start=30&tstart=0

That talks about potential compromise in the network.

But apart from there, there's virtually nothing much I'm able to gather from internet.

Anyone saw this?

Regards,
Sagar Belure

Rajesh A.

unread,

Oct 12, 2017, 10:10:04 AM10/12/17

to null-...@googlegroups.com

Here there is something big

Can you read if not done already

https://www.reddit.com/r/creepy/comments/38okva/first_one_into_the_office_this_morning_found/

--
______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+unsubscribe@googlegroups.com.
Visit this group at https://groups.google.com/group/null-co-in.
For more options, visit https://groups.google.com/d/optout.

Sagar Belure

unread,

Oct 12, 2017, 10:50:44 AM10/12/17

to null-...@googlegroups.com

That's pretty much spot on Rajesh. Thanks.

The printout in my hand looks pretty much similar like one you see in the reddit post.

Looks like lot more work to look at the system logs then.

Regards,
Sagar Belure

Hitesh Bhatia

unread,

Oct 12, 2017, 10:54:57 AM10/12/17

to null-...@googlegroups.com

Just a suggestion - if the ping back worked, and if a packet capture was running, the ARP or equivalent packets would probably have the IP address of the attacker.

Obviously, nobody has a packet capture running at all times...

Sagar Belure

unread,

Oct 13, 2017, 4:07:45 AM10/13/17

to null-...@googlegroups.com

Okay. Update on this.

This turned out to be the Nessus box. :)

Nessus found a vulnerability (related to HP LaserJet printers), and to exploit it further, it passed those PJL commands to the printer. To make sure if exploitable, it had to ping itself back. So that IP was actually Nessus's host itself.

Figured out that like almost instantaneously. But that was like a facepalm moment. ;)

Lesson - should've checked my inventory before shooting out the question and asking for help. :)

Regards,
Sagar Belure

Ajaz Ahmed

unread,

Oct 14, 2017, 10:46:30 PM10/14/17

to null-...@googlegroups.com

You may feel foolish, but everyone has there facepalm moments at some point or the other.

Ajaz Ahmed

Reply all

Reply to author

Forward