Am I being hacked or is my printer possessed?

Posted:
in Genius Bar edited January 2014
I have an HP Deskjet 6490 (I think) printer that is on the network. It is not directly connected to any computer. I also have a MacBook Pro and a Windows machine that are on the network all the time.



My problem started just this passed weekend and before that never occurred. What's happening is that all of a sudden, usually in the middle of the night, my printer will suddenly print out several pieces of paper with nothing but a single "H" printed in the upper right corner.



I've checked each computer's print queues and nothing is in there. So I can't imagine that one of the computers is sending this to the printer at random times.



One other thing I was wondering is could this be someone hacking onto my network and finding the printer and sending random commands to it? For now, I turn off the printer unless I want to print something, then just turn it back off. Getting woken up at 3:00 AM by the sound of the printer spitting out junk is quite alarming!



Any help would be appreciated.

Comments

  • Reply 1 of 16
    MarvinMarvin Posts: 15,309moderator
    Quote:
    Originally Posted by JupiterOne View Post


    My problem started just this passed weekend and before that never occurred. What's happening is that all of a sudden, usually in the middle of the night, my printer will suddenly print out several pieces of paper with nothing but a single "H" printed in the upper right corner.



    Definitely a stuttering poltergeist, probably trying to say hello.



    Quote:
    Originally Posted by JupiterOne View Post


    I've checked each computer's print queues and nothing is in there. So I can't imagine that one of the computers is sending this to the printer at random times.



    One other thing I was wondering is could this be someone hacking onto my network and finding the printer and sending random commands to it? For now, I turn off the printer unless I want to print something, then just turn it back off. Getting woken up at 3:00 AM by the sound of the printer spitting out junk is quite alarming!



    Any help would be appreciated.



    Your computer executes the daily cleanup script /etc/daily at 3am. If you open your console in /Applications/Utilities, pull the left hand side of the window to open a list of files. Open /var/log and choose daily.out.



    You will see regular entries about what is executed at that time that look something like:



    ruptime: no hosts in /var/rwho.



    Rotating log files: system.log



    Removing scratch and junk files:



    Removing scratch fax files

    msgs: /var/msgs/bounds: No such file or directory



    Backing up NetInfo data



    Checking subsystem status:



    I wouldn't have expected any printout though but check out the lpr log too - that logs printouts sent via the command line.
  • Reply 2 of 16
    jupiteronejupiterone Posts: 1,564member
    Quote:
    Originally Posted by Marvin View Post


    Definitely a stuttering poltergeist, probably trying to say hello.







    Your computer executes the daily cleanup script /etc/daily at 3am. If you open your console in /Applications/Utilities, pull the left hand side of the window to open a list of files. Open /var/log and choose daily.out.



    You will see regular entries about what is executed at that time that look something like:



    ruptime: no hosts in /var/rwho.



    Rotating log files: system.log



    Removing scratch and junk files:



    Removing scratch fax files

    msgs: /var/msgs/bounds: No such file or directory



    Backing up NetInfo data



    Checking subsystem status:



    I wouldn't have expected any printout though but check out the lpr log too - that logs printouts sent via the command line.



    Thanks Marvin. I do see my daily.out log but I don't see any lpr logs. I guess I just wanted to make sure that I wasn't being hacked or something. Although it is a little annoying having this paper wasted. It is strange though that this has never happened before last weekend.
  • Reply 3 of 16
    MarvinMarvin Posts: 15,309moderator
    Quote:
    Originally Posted by JupiterOne View Post


    Thanks Marvin. I do see my daily.out log but I don't see any lpr logs. I guess I just wanted to make sure that I wasn't being hacked or something. Although it is a little annoying having this paper wasted. It is strange though that this has never happened before last weekend.



    Does this happen daily at 3am or just at the weekend?



    Check the cups log - that is in /var/log too. There should be an access log and an error_log. Check for times around when the printout happened.



    There might be a way to get a log file from the device itself. Check the software here to see if it allows you to do this - if it's a proper network printer, try typing the printer IP address into a browser (you can find the IP on the printer itself using its LCD panel):



    http://h10025.www1.hp.com/ewfrf/wc/s...product=467981



    Have you rebooted your computers since it started? Although there's nothing in the print queue, it's possible that there's a file stuck in a temp folder somewhere. A reboot should empty those folders.



    To determine if the printout is coming from the MBP and not the Windows machine, can you leave one of the machines off the network overnight?
  • Reply 4 of 16
    jupiteronejupiterone Posts: 1,564member
    Quote:
    Originally Posted by Marvin View Post


    Does this happen daily at 3am or just at the weekend?



    The 3 am was just a guess. It definitely happens during the week. I take my MBP with me on the weekends so I'm not home. But it didn't happen last night.



    Quote:

    Check the cups log - that is in /var/log too. There should be an access log and an error_log. Check for times around when the printout happened.



    There might be a way to get a log file from the device itself. Check the software here to see if it allows you to do this - if it's a proper network printer, try typing the printer IP address into a browser (you can find the IP on the printer itself using its LCD panel):



    http://h10025.www1.hp.com/ewfrf/wc/s...product=467981



    Have you rebooted your computers since it started? Although there's nothing in the print queue, it's possible that there's a file stuck in a temp folder somewhere. A reboot should empty those folders.



    To determine if the printout is coming from the MBP and not the Windows machine, can you leave one of the machines off the network overnight?



    Yes, all great suggestions. I'll try rebooting and removing the MBP for a night or two.



    Thanks!
  • Reply 5 of 16
    jupiteronejupiterone Posts: 1,564member
    OK, so when I left for work this morning, there was nothing in the output tray. But when I came home, there were the 4 printed pages with nothing but an "H" in the upper left corner again. So I know it is still happening.



    So first I tried to reboot. As soon as I logged back in to my account, the 4 pages started to print. I turned of the printer and when I turned the printer back on it didn't resume. So it really seems like it is my MBP that is initiating the printing, but at the same time, it doesn't look like it isn't coming from any print queue. I say this because the print program doesn't start up and if it was some application it would probably resume printing when I restarted the printer, right?



    I didn't look at the access_log and error_log files until after I rebooted, but access_log is dated Apr 27 15:30. I don't know what that is used for, but at that time, I was not home with my MBP. I was somewhere else where there was another printer. But I never printed anything.



    The error_log file is dated Apr 27 17:47, which is probably the time when my MBP was reconnected to my home network.



    I'm going to do another reboot to see if the printer prints again. Let me know if you want to see anything from the logs.



    .....And thanks so much for your help!



    edit: Well 36 minutes after rebooting, it printed 2 pages this time. The timestamps on the access_log and error_log have not been updated. Should I start looking for an exorcist? ( )
  • Reply 6 of 16
    MarvinMarvin Posts: 15,309moderator
    Quote:
    Originally Posted by JupiterOne View Post


    I say this because the print program doesn't start up and if it was some application it would probably resume printing when I restarted the printer, right?



    It depends, the content/signal that was sent to the printer was small so it would spool it to the printer memory entirely. So say at some random time, the computer tells it to print 10 pages and you stop the printer at 5 pages and turn it on again, it won't resume printing because you've cleared the memory on the printer.



    Quote:
    Originally Posted by JupiterOne View Post


    I didn't look at the access_log and error_log files until after I rebooted, but access_log is dated Apr 27 15:30. I don't know what that is used for, but at that time, I was not home with my MBP. I was somewhere else where there was another printer. But I never printed anything.



    The error_log file is dated Apr 27 17:47, which is probably the time when my MBP was reconnected to my home network.



    There should be a page log too - I don't have one as I don't have a printer at home. If you can't see this in the console, you can also point your browser to:



    http://localhost:631/jobs?which_jobs=completed



    This shows you the completed jobs in the cups interface.



    Try printing a page manually too and see if a job goes in there.
  • Reply 7 of 16
    jupiteronejupiterone Posts: 1,564member
    Quote:
    Originally Posted by Marvin View Post


    It depends, the content/signal that was sent to the printer was small so it would spool it to the printer memory entirely. So say at some random time, the computer tells it to print 10 pages and you stop the printer at 5 pages and turn it on again, it won't resume printing because you've cleared the memory on the printer.







    There should be a page log too - I don't have one as I don't have a printer at home. If you can't see this in the console, you can also point your browser to:



    http://localhost:631/jobs?which_jobs=completed



    This shows you the completed jobs in the cups interface.



    Try printing a page manually too and see if a job goes in there.



    I printed a page and it shows up in the browser page. And everything else in there I can account for. I'll leave the printer on for a bit again and see if it is still happening. Up to now I've kept the printer off except when I want to print. Thanks for all your help!
  • Reply 8 of 16
    MarvinMarvin Posts: 15,309moderator
    Quote:
    Originally Posted by JupiterOne View Post


    I printed a page and it shows up in the browser page. And everything else in there I can account for.



    So none of the random printouts are showing in there? If so, that suggests the Mac might not be sending a page to print but rather some odd signal that is being interpreted wrongly by the printer.



    Is this printer plugged into a router's USB port or is it being shared from a computer?
  • Reply 9 of 16
    jupiteronejupiterone Posts: 1,564member
    Quote:
    Originally Posted by Marvin View Post


    So none of the random printouts are showing in there? If so, that suggests the Mac might not be sending a page to print but rather some odd signal that is being interpreted wrongly by the printer.



    No, they don't show up in there.



    Quote:

    Is this printer plugged into a router's USB port or is it being shared from a computer?



    The printer is plugged into the router, via ethernet cable. That's why I was wondering if someone was trying to hack into my network and seeing the printer and sending some random printer commands or something.
  • Reply 10 of 16
    MarvinMarvin Posts: 15,309moderator
    Quote:
    Originally Posted by JupiterOne View Post


    The printer is plugged into the router, via ethernet cable.



    If you go into http://localhost:631/printers it should give you the IP address of the printer. Try clicking the configure printer button and try typing the IP address into the browser to see if it gives you a web interface on the printer itself.



    Are you sure it's a 6490 and not a 6940 btw?



    If it's the 6940, the manual is here:



    http://h10032.www1.hp.com/ctg/Manual/c00591687.pdf



    and it says that it has a web interface, which you access with the IP address as above. This interface might have a log somewhere but it also has a setting to revert your printer to factory settings - don't know if that will help or not but it might be worth a try.
  • Reply 11 of 16
    jupiteronejupiterone Posts: 1,564member
    Quote:
    Originally Posted by Marvin View Post


    If you go into http://localhost:631/printers it should give you the IP address of the printer. Try clicking the configure printer button and try typing the IP address into the browser to see if it gives you a web interface on the printer itself.



    Are you sure it's a 6490 and not a 6940 btw?



    If it's the 6940, the manual is here:



    http://h10032.www1.hp.com/ctg/Manual/c00591687.pdf



    and it says that it has a web interface, which you access with the IP address as above. This interface might have a log somewhere but it also has a setting to revert your printer to factory settings - don't know if that will help or not but it might be worth a try.



    Ugh! Typo. Yes it is a 6940, not 6490.



    I'll check the logs in the web interface. I don't thing there was anything there that I couldn't already account for, but I'll check again. I'll also try the "Reset to factory settings" option, if it exists.
  • Reply 12 of 16
    MarvinMarvin Posts: 15,309moderator
    Quote:
    Originally Posted by JupiterOne View Post


    I'll check the logs in the web interface. I don't thing there was anything there that I couldn't already account for, but I'll check again.



    The web interface you checked a few posts back was the CUPS interface on OS X, which lists jobs sent out to the printer from the Mac. The web interface you get by typing the IP of the printer into a browser is the one that's on the printer itself. If it has a log file, it will list incoming jobs to the printer and possibly where they came from. It also has other printer controls and settings in a similar way that a router has.
  • Reply 13 of 16
    jupiteronejupiterone Posts: 1,564member
    I found the IP address and it does have a web interface, but no logs. Also, it doesn't seem to have any Reset to factory defaults setting either.

  • Reply 14 of 16
    jupiteronejupiterone Posts: 1,564member
    Just an update. I turned my printer on Sunday as a test and I've printed stuff too. But it still has not done any of its random printing yet. Strange that it just stopped. The only difference is that my Lacie NAS is on the fritz and is off the network while waiting for a replacement power supply. Could this device have been causing the random prints?



    Strange....
  • Reply 15 of 16
    MarvinMarvin Posts: 15,309moderator
    Quote:
    Originally Posted by JupiterOne View Post


    Just an update. I turned my printer on Sunday as a test and I've printed stuff too. But it still has not done any of its random printing yet. Strange that it just stopped. The only difference is that my Lacie NAS is on the fritz and is off the network while waiting for a replacement power supply. Could this device have been causing the random prints?



    Strange....



    It is a strange problem - I guess that could be what's causing it. It may be an application that runs on the computer that looks for the Lacie device on the network, there is a Hipserv desktop agent for the Lacie NAS that runs on Macs and Windows.



    Perhaps when a computer is connected to the network, it scans for a Lacie NAS to allow easy connection and the NAS then sends back data to allow the connection and maybe the printer is picking up this information and misinterpreting it.



    If the problem only started recently and you've had the NAS and printer for a while, perhaps even the power supply was somehow interfering with the other devices.



    One thing you can try if the problem happens again with or without the NAS connected is to do a network packet sniff using this program:



    http://www.baurhome.net/software/eavesdrop/



    This basically shows you what packets are going around your network and lets you see the packet contents. Packets are just small chunks of any given data transmission. So if you visit a website, it would show chunks of image data and HTML code that make up the whole site you visit.



    Website data generally goes over port 80. The NAS will communicate over different ports depending on the request - the Lacie NAS I have at work allows connections via AFP, SMB etc and those protocols work over different ports.



    If your computer connects via Airport, you will want to scan the network using en1 (change this in settings) - you can find what your active connection is by using the Network Utility in /Applications/Utilities/ but I would expect en1 for Airport and en0 for wired ethernet. Double-click a line in the capture to see the packet contents of that transfer.
  • Reply 16 of 16
    jupiteronejupiterone Posts: 1,564member
    Quote:
    Originally Posted by Marvin View Post


    It is a strange problem - I guess that could be what's causing it. It may be an application that runs on the computer that looks for the Lacie device on the network, there is a Hipserv desktop agent for the Lacie NAS that runs on Macs and Windows.



    Perhaps when a computer is connected to the network, it scans for a Lacie NAS to allow easy connection and the NAS then sends back data to allow the connection and maybe the printer is picking up this information and misinterpreting it.



    If the problem only started recently and you've had the NAS and printer for a while, perhaps even the power supply was somehow interfering with the other devices.



    Yes, I've had both the NAS and printer for over a year and this whole problem only started a couple of months ago.

    Quote:

    One thing you can try if the problem happens again with or without the NAS connected is to do a network packet sniff using this program:



    http://www.baurhome.net/software/eavesdrop/



    This basically shows you what packets are going around your network and lets you see the packet contents. Packets are just small chunks of any given data transmission. So if you visit a website, it would show chunks of image data and HTML code that make up the whole site you visit.



    Website data generally goes over port 80. The NAS will communicate over different ports depending on the request - the Lacie NAS I have at work allows connections via AFP, SMB etc and those protocols work over different ports.



    If your computer connects via Airport, you will want to scan the network using en1 (change this in settings) - you can find what your active connection is by using the Network Utility in /Applications/Utilities/ but I would expect en1 for Airport and en0 for wired ethernet. Double-click a line in the capture to see the packet contents of that transfer.



    Actually, my router is a Linksys. But I'll keep this in mind if it happens again. Thanks for all your help Marvin!
Sign In or Register to comment.