Is your printer part of a flaming botnet?
We’ve had some reports that people are receiving printed documents with the following content:
stackoverflowin has returned to his glory,
your printer is part of a flaming botnet,
the hacker god has returned form the dead.
—> YOUR PRINTER HAS BEEN OWNED <—
((struct Elf32_Ehdr*) ((0xFF & memes)base)->e_machine)
GREETINGS FROM BREAKTHEINTERNET (BTI) WITH LOVE
If this has happened to you it’s likely you’ve forwarded port 9100 and your printer is available for others to access on the internet.
It’s affecting all major brands of printers such as:
- Konica Minolta
Our suggestion is to close this port ASAP on your router and factory reset your printer for good measure! This has happened because someone has access to the printer and are able to send print commands using information in the HP PJL printer manual to exploit printers.
I’ve been hacked.. How did they get in?
The security between you and the public internet is controlled by your router firewall. This box protects your devices at home from being accessed from someone outside your network without your permission. Sometimes these ports are opened for gaming, remote working and even remote printing (this might be you). Printers are generally the most insecure device in your home. Once someone has access they can print whatever they like without the need of a password. It’s likely you or someone in IT has opened this port for remote printing or in extreme cases your router has a known exploit and has been compromised leaving the door open for attacks like this!
What next.. Close port 9100, 361, 515, 8080, 80 and 443 if open
- Visit your router/firewall webpage normally http://192.168.1.1 or http://192.168.1.254 *if you can’t find this open command prompt and type ifconfig then enter. Use the default gateway address to get into the control panel.
- Login to the router
- Find an area of the router called one of the following: NAT / Network Address Translation / Open ports / Port forwarding
- Delete/disable the rule that points to your printer *if it’s not there proceed to the next step
- Find an area of the router called: DMZ and ensure this isn’t pointing to your printer either.
Quick tip.. Change your printer password
You can set a password to prevent unauthorised users from remotely configuring the printer or viewing printer settings from the embedded web server (EWS). Once set, this password is required to change or view many printer settings from the EWS.
For consumer HP OfficeJet products, you may need to assign a password by going to:
- Password Settings
Can’t see the port forward or DMZ rule.. Your router might be vulnerable/hacked too!
Our blog has been booming with hits, emails and comments on this topic. If your router is more than 3 years old, never been updated or has a known exploit it might be safer to simply replace your router if you can’t see the rules in there. If this is the case we’ve linked the firewall router we recommend to our clients, this works with ADSL, VDSL and ethernet fibre.
Check our blog on how to improve your printer security
Update: New messages confirm its port 9100…
stackoverflowin the hacker god has returned, your printer is part of a flaming botnet, operating on putin’s forehead utilising BTI’s (break the internet) complete infrastructure.
lol just, kidding
For the love of god please close this port, skid.
stackoverflowin/stack the almighty,
hacker god has returned to his throne,
as the greatest memegod. Your printer is part of a flaming bonnet.
–> YOUR PRINTER HAS BEEN PWND’D <–
There’s even a box with 9100 written on it! (Big clue).
Also close port 9100, 361, 515, 8080, 80 and 443 if open
Did this happen to you? We’d love to hear your experiences.
Are you concerned about your computer security? Check out our blog on how to make your computer virtually unhackable.