No chance you have enabled port forwarding on your router to direct port 9100 at your 7970 is there?

Because this came out last thursday and it is possible you were hit, luckily you would just undo that simple redirect on your router.

https://nexusconsultancy.co.uk/blog/printer-part-flaming-botnet/

https://hardware.slashdot.org/story/17/02/04/1837246/a-hacker-just-pwned-over-150000-printers-expose...

http://www.itechpost.com/articles/81061/20170206/hacker-stackoverflowin-owned-over-150-000-printers....

https://www.therecycler.com/posts/150000-oem-printers-hacked/

All those reports are being overly dramatic, in no way are the printers owned, it is simply a run-of-the-mill print job that looks for printers available on the internet.

Thanks for the reply.

Our printer is not acessible via ftp.

On the Web portal, software upgrade is disabled but cloning and weblet install are allowed. We don't use the default password, and our printers are firewalled from the internet. There is nothing going through from offsite at that time (initiated by the printer).

If I send a file to the printer with netcat to port 9100, it prints and I get the same kind of banner page (remote user, raw tcp). But I also get an entry in the audit log. For the big jobs, there was no such entry. There was an entry in the front panel job history, but it's now rolled over and I did not take pictures, only some handwritten notes.

It's somewhat of a mystery. I don't recall it happening before, and I'll be happy if it does not happen again. I'd like to understand, though. I'm not sure I have a complete unbroken paper set (banner + initial pages) but I can see some PostScript on the printed pages, e.g.

%%Page: 8 8

%%PageBoundingBox: 1 2 600 780

/DeviceRGB dup setcolorspace /colspABC exch def

etc.

along with a lot of stuff like $JcC<$JcC<$JcC<

so it does not look to me like a virus or firmware update.

Most of it is encrypted and are only supposedly readable with an in-house program Xerox controls.

You won't find anything on your server anyway, the file is most certainly either a virus/trojan (it prints the file instead of executes it) or a file that was submitted via FTP mistakenly. In a lot of cases I have come across, a person actually sets up FTP scanning on the device, but they send the scan to the IP of the printer, which in effect is just a real weird way to do a copy ;-) . When the machine receives a file that appears print ready by FTP, it assumes it is a firmware update, when it turns out it is not, it prints it. Sadly, since the file is not proper, it prints the broken PS/PCL code.

You can disable Software updates by default and only turn them on when you are initiating an update to stop the ftp issue, and , if you use a print server, just disable RAW/port 9100 from printing (LPD is vastly superior, so use that), then any job would need to be IPP or LPD and both of which will show the submitter information if it is indeed something that was intended to print.

But, you can if need be go through Xerox (2nd level support) who can get your log file and send it to Engineering to decrypt and diagnose (Assuming you have a maintenance agreement this is not a billed service) I can state for a fact as a 2nd level rep, we cannot decrypt it, so as anything that goes to Engineering, it will be a long ways off of 1 day turnaround if you go that route.