Printer Spewing Reams of Garbage

ArcherBowman has asked for the wisdom of the Perl Monks concerning the following question:

I do not hablo perl. I am a 52-year-old script kiddie with over thirty years experience in administering Microsoft networks.

All of a sudden one of my printers has started periodically spewing out reams of paper with a couple of lines of random characters. But the first page included the following, and a google search led me here. Can anyone help me identify where these printouts are coming from and help me stop them?

GET / HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: <ip address redacted>:9100
User-Agent: libwww-perl/6.15
[download]

Comment on Printer Spewing Reams of Garbage Download Code

Replies are listed 'Best First'.
Re: Printer Spewing Reams of Garbage by kennethk (Abbot) on Jan 11, 2016 at 19:56 UTC
The line: `User-Agent: libwww-perl/6.15` [download] indicates that someone is (probably) using the LWP::UserAgent module to construct a web robot. See User_agent for the meaning (and lack of meaning) of that string. Is the `Host` IP your printer? My best guess is that either a) someone on your network is printing results from a GET accidentally or without thinking, or b) your printer has some HTTP-based protocol for initiating printing that is getting abused. The random character and mostly blank thing is most likely since they are printing the binary of a `gzip`ed file. #11929 First ask yourself `How would I do this without a computer?' Then have the computer do it the same way.	[reply] [d/l] [select]
Re: Printer Spewing Reams of Garbage by Mr. Muskrat (Canon) on Jan 11, 2016 at 19:22 UTC
Just because the culprit is using Perl to talk to your printer doesn't mean that this is a Perl problem. Stop allowing port 9100 through the firewall (or install a firewall if you don't have one). Trace the IP to the source. Since you are a self-proclaimed "script kiddie", you might need to hire an expert to help with one or both of those.	[reply]
Re: Printer Spewing Reams of Garbage by VinsWorldcom (Prior) on Jan 11, 2016 at 19:52 UTC
I assume the "redacted" IP address is that of your printer; 9100 is a common well-known HP printer port. Other than "User-Agent: libwww-perl/6.15", is there any other information as to the remote host that's making the connection to your printer? You could always put a packet capture on the wire, to find the source, trace it down and SHUT it down!	[reply]
Re: Printer Spewing Reams of Garbage by FreeBeerReekingMonk (Deacon) on Jan 12, 2016 at 00:49 UTC
convoluted solutions: Run a sniffer that captures traffic only send to your printer IP address. This will require some authorization from the security department. Wireshark is free and available for Windows. Tell the department the printer has been changed, and change the name and IP address from the printer. Put a server on that IP address instead. Let it listen for any incoming traffic and record sender and timedate (can be acomplished by a small perlscript) Send somebody to the printer to configure BANNER_HEADER=TRUE and add more data to it. This would include sender hostname and username. See HP documentation. Meanwhile, keep paper tray almost empty, just enough for normal usage, until the "error" comes, cancel job, and refill papertray... not pretty but it works. Good luck with the hunt.	[reply]
Re: Printer Spewing Reams of Garbage by hotchiwawa (Scribe) on Jan 11, 2016 at 19:25 UTC
It seems that someone tried to print a zip file :) and escape characters like FF... give your result https://en.wikipedia.org/wiki/Page_break	[reply]
Re: Printer Spewing Reams of Garbage by GotToBTru (Prior) on Jan 11, 2016 at 19:34 UTC
Where do you see the above? Full path might help someone identify what this is part of. But God demonstrates His own love toward us, in that while we were yet sinners, Christ died for us. Romans 5:8 (NASB)	[reply]