General discussion

Locked

Mysterious HP JetDirect card

By johnnyextreme ·
There is an HP JetDirect card on my network that is not one of the printers I installed. I can ping this card (10.0.0.255). It has open ports 25 and 110 (Why does a printer need e-mail?). It responds to SNMP on Port 161 with "Reply: HP ETHERNET MULTI-ENVIRONMENT,ROM G.07.19,JETDIRECT,JD3". This is the same reply I get from the other printers that I do know about.
Does anyone know what this might be?

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by johnnyextreme In reply to Mysterious HP JetDirect c ...

Point value changed by question poster.

Collapse -

by johnnyextreme In reply to Mysterious HP JetDirect c ...

I found it - this is the LinkSys DSL Router which has a Cisco IOS. This router has an assigned internal address of 10.0.0.1 - I never assigned it 10.0.0.255. Why does it have this address, why are ports 25 and 110 open, and why does it respond to SNMP requests as an HP JetDirect card? Any satisfactory answers get 1000 points

Collapse -

by d.walker5 In reply to Mysterious HP JetDirect c ...

You may had a Trojan. Two suggestions (1) download a Trojan Hunter e.g. McAfee. (2) Always keep firmware on HP Jetdirect print servers at
the latest revision level. As firmware is revised,
performance and security are improved. With older
firmware, attackers can obtain sensitive information and gain unauthorized access to the printer. Jetdirect firmware can be upgraded using either Download Manager or HP Web Jetadmin software. Both of these applications are automatically able to download the latest firmware images from the Internet.

Collapse -

by johnnyextreme In reply to

The HP Download Manager did not recognize 10.0.0.255 as a printer, although it did upgrade the firmware on all our networked printers. This is not a print server, it is a Cable/DSL router model BEFSR41 Ver 3. with the latest firmware. I'd like to know why this router has an IP address that I did not directly assign to it (10.0.0.255), why this IP address has open ports 25 and 110, and why this IP address responds to SNMP on port 161 as HP ETHERNET MULTI-ENVIRONMENT,ROM G.05.34,JETDIRECT,JD3.

Collapse -

by -Q-240248 In reply to Mysterious HP JetDirect c ...

10.0.0.255 /24 is a broadcast address (provided your netmask is 255.255.255.0), in other words, what you may be seeing is the initial broadcast, not the response.

I don't know how you get ports 25 and 110 off of a broadcast address, but I suspect you're not seeing this correctly. A linksys router will not/cannot perform email functions, it can only forward data.

Post the tool you use to gather your information and the results it gave you.

Collapse -

by techtonik In reply to Mysterious HP JetDirect c ...

One thing to try is to attempt to telnet to the open SMTP port and see what you get back. Most of your standard scanners will do this for you, but sometimes you just have to get your hands dirty....;) Do a "telnet 10.0.0.255 25" from a cmd prompt and see what it responds back with. The issue is that since you are pinging a broadcast address, there is a possibility of getting responses back from different machines. Check your LinkSys (and by all means, feel free to spend a little more money and upgrade to a D-link or a netgear as this can resolve a few issues anyway, not a big fan of Linksys as they have proven themselves unreliable and flaky) and make sure that it is not responding on .255 for some sort of management purposes) Also make sure that none of your Jetdirect cards in service are misconfigured. Jetdirect cards are pretty particular in how they are set up and they will double up on IP's if not configged correctly. Feel free to post the text that is responded with from your telnetting! Hope this helps!

Collapse -

by Nico Baggus In reply to Mysterious HP JetDirect c ...

A linksys router uses the linux OS.
This may be part of your answer. It can do more
than just routing.

A ping on 10.0.0.255 when your netmask is
255.255.255.0 will mean it is a broadcast ping.
You should get more answers. Windows doesn't
answer to broadcast ping, linux, jet direct does
answer to these pings.

If you added port forwarding to allow access to
a mail/pop server the router might also forward
your probes.

Have you tried to identify the mail/pop server?

doing a "telnet <ip> 25" the computer will
probably tell you who it is.. like this
"220 localhost ESMTP Exim 4.50 Sat, 24 Sep 2005
15:31:23 +0200"

and


Also popserver will tell who they are like:
telnet <ip> 110
"+OK QPOP (version 2.3) at localhost starting."

I configured this machine to tell localhost.
It also tellyou that exim & qpop are used as
relevant server.

If the linksys proxies request these telnet
commands will tell you the real node. (or also
localhost which will tell you nothing.


doing an nmap scan might give you a better
result. Systems should not react to opens on the
broadcast address.

If the netmask for your net work is different
than maybe a device is improperly configured.
Also some might have made a type configuring a
jet direct card.

HIH
Kind regards,
Nico Baggus

(more information might give more answers..)

Back to Security Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums