BleepingComputer.com: zerg.helllabs.net

Hi there,

Last night my wireless network connected printer started up by itself, and printed off a sheet that said

GET hxxp://zerg.helllabs.net/cgi-bin/textenv.pl HTTP/1.1
Host: zerg.helllabs.net
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Accept: 8/8
Accept-Language: zh-cn
Connection: Keep-Alive

ââ„¢¦ PH

The Diamond and the Smiley are similar in the printout I just didn't know how to put them in here. OK so this creeped me out. It did this twice before I unplugged the modem and router, and shut down my computer.
Have I been hacked? I just reinstalled Windows 7 because I had an annoying virus, and thought that it would be good to do a clean install anyways. This happened not even a day after the clean install. I connected to the internet to download avg and malware bytes and spybot. I figured nothing would happen if those were the first things that I got. Any help would be appreciated. Will another clean install fix this?

Thanks

This post has been edited by apres: 26 April 2010 - 01:50 PM
Reason for edit: Deactivated link ~ Elise

Hi apres,

I'm sorry about your troubles. Here are a few things to think about and please reply with the answers.

Are you using a legitimate copy of Windows 7 that you purchased? Just curious, because many of the hacked versions of Windows 7 are loaded with malware. Did you perform all the important windows updates after you installed 7? Did you make sure the AVG and were also up to date?

Also, if you are on a wireless network, is your wireless network secured, preferably using WPA2 with a password? Anyone else that connects to your network that you are aware of?

There is definitely something going on since you didn't request this print job, so I would be cautious. Another clean format and install would probably fix this as long as no one is hacking into your wireless network which could be giving them access to your printer.

Why don't you do full scan with AVG and MBAM in normal mode and the let me know what they come up with?

apres, on Apr 26 2010, 07:35 AM, said:

Hi There!

The same thing happened to me last night, exactly except for 8/8 on Accept, I had */*. I was out of the house, but when I returned there were two printed pages.

I have looked at the Hell Labs website, and they have some sort of proxy server software there. Which means 'hidden identity'

From playing around with the information I gathered further, I have spent the rest of the morning looking at proxy settings and printer hacking ,
I realized that the intrusion must have something to do with the dynamic DNS I had set up so I could stream my iTunes audio to my iPhone over the internet.

I was able to get similar results by typing my ip like this, with the open port number of 9100

hxxp://XX.XX.XX.XX:9100/ (Capital X's are your ip, or in my case also the dynamic DNS)

My results from Safari

GET / HTTP/ 1.1
Accept-Language: en
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_4_11; en) AppleWebKit/531
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q0.8,i
Connection: keep-alive
Host: XX.XX.XX.XX:9100

So it seems that you have been intruded on, as have I, by the same person, "Diamond Happy PH"

I do not feel at this time that I have been further intruded on, but I need to look at the firmware of my printer.

I am uncomfortable by the language settings on the intrusion, originating in China, but at this time I feel that the attack is more of a message in a bottle. It seems that one could write a webcrawler type robot that would universally ping port 9100, and then print little messages like "diamond happy PH"

Hope this helps, and hopefully someone with more geek powers can explain this better.

Maybe someone could contact Hell Labs?

I also forund this website helpful and more confusing:
http://www.irongeek.com/i.php?page=security/networkprinterhacking#Don't forget to look for Stored Documents via the web interface
://http://www.irongeek.com/i.php?page=... web interface

Hey thanks,

I will run the virus and malware scans when I get back to that computer, and post them here. I do have a legitimate windows 7, and the virus programs are all up to date. I'm using an Airport Extreme router, and I do have a password on it. I did have to type the password so if there was a keylogger on there somehow maybe they got it.

thesamething, thanks for all the info. I hope that this was just a warning shot. I'll have to look into making everything more secure. I think that I did somethign with the DNS for my xbox. I'll look into that. oh and my accept line was */* i just must have missed the shift key. Please keep me updated if you find any more info.

This post has been edited by apres: 26 April 2010 - 02:01 PM

Hi apres and thesamething,

I had virtually the identical issue happen this morning. The only difference was the accept line was */* and there was no signature on the bottom like the two of yours.

All my machines run Mac OS X 10.6.6 . Only one machine was on. The printer is OLD, not wireless, BUT it is plugged into the Apple Airport Extreme Base Station.

Do you guys think it is nothing to worry about??? Was it just some random thing that went to the Airport Extreme and printed ? Are there any actions I should take to increase security? I had also been running on one of the Macs Print Topia which allows iOS devices on the network to use the printer. However, again, I thought this may have just occured through the Airport Extreme with the USB connection to the printer? I removed the Printtopia just in case.

Many thanks.

This post has been edited by r170mac: 13 March 2011 - 12:14 PM

Hi fellow potential victims,

I had the same thing happen to me two nights in a row. The first night I reading on the other side of the room and heard the printer turn on, but I cancelled the print job before it started. It displayed "printing" for about 3 minutes and never actually did. Two mornings later, this morning, I awoke to find a paper matching the ones all of you described exactly with the */* on my print tray.

I am also using an Airport Extreme.

I am going to try to find more information.

g

actiongarrett, on 14 March 2011 - 11:18 PM, said:

Hi Sorry to hear it happened to you. I've learned we probably shouldn't worry too much.


Try this...open up the Airpot Extreme utility. Then click "printers." Make sure "share over WAN," and "share over Bonjour," are NOT checked. Your printer should still work as its automatically allowed to share over your local network I believe, but no reason to share on WAN or Bonjour really. Try this and maybe it MIGHT help. I would told to do this.

I also unplugged my DSL modem a few hours just to get a new IP address.

It's nice everyone is kind here. I asked somewhere else and got made fun of for being concerned.

Good luck!