We have been seeing probes to port 9100/TCP in the HITME for a while and decided to check out some of the activity and post about it, so others could know what is going on there.
The connections come from a few sources, often universities, and don’t seem to be anything more than misconfigurations of devices in their environment. The connections that come in on port 9100 often contain the “@PJL INFO PRODINFO” strings, which are apparently tied to the HP Printer Job Language (PJL). Basically, the command is supposed to dump out identifying data from the printer and return it to the user. This data includes a variety of configuration data and other details about the device. You can find an example here.
The port 9100 connections usually coincide with a connection to port 80/TCP on the same host. This port 80 connection looks something like this (with IP address info in the x.x.x.x string):
“GET / HTTP/1.1\nAccept-Encoding: identity\nHost: x.x.x.x\nConnection: close\nUser-Agent: Python-urllib/2.7\n\n”
Now this is a little interesting. It is likely meant to be a validation probe that the printer device’s embedded web server is online and that the device is operational. BUT, the “Python-urllib/2.7” made us suspicious. Perhaps this isn’t a usual printer request?
A little Google searching pretty quickly shows that HP’s implementation of CUPS, that is the unix printing mechanism, strongly leverages this Python library. So, that might not make it suspicious as most folks might think.
So, we did the next thing in our bag of tricks, and returned valid connections from HoneyPoint on those ports. Our waiting finally came to fruition and lo and behold, we got more connections of the same nature. This time though, we also got a print job for the “printer” to print. What did we get? Spam, of course. Printer spam. An ad to buy some stuff, that needless to say, we don’t really need. 🙂
So, what are those port 9100 probes? What is the basis behind that “@PJL INFO PRODINFO” in your logs? Nothing more than spam attempts to waste your paper, ink/toner and time. Hey, it could have been worse, right? 🙂
Obviously, turning off port 9100/TCP from the Internet will help prevent this stuff from coming into your organization. It looks like a few malware folks have added this capability to their spyware/adware routines as well, so if you have 9100 blocked from the Internet and see printer spam coming in, track the print jobs back to a workstation if possible and do the turn and burn routine. Let us know if you have any questions or issues, and we will keep our ears and eyes open on port 9100 traffic and drop some more info if we see anything that looks wormy or the like.
MSI ongoing assessment customers will note that port 9100 signatures are routinely tested and you would be notified of any illicit behaviors found during your assessments.
PS – There have been some “worm” like behaviors on port 9100 in the past, including a couple of pieces of printer malware. We didn’t see it in this case, but we know it’s out there…Here is an example of some of what may be lurking in your printer…