Solved: Re: RV325, 1.5.x firmware, no login prompt, but get background and https handshake.

Tim Dawson · ‎05-04-2020

I have an issue that I have not seen reported yet with the latest firmware. I have three RV325's running in my organization, with one at my office, an the other two remote with IPSEC tunnels between myself and the two remote (none between the remotes) and no OpenVPN. All has been working well for many months (esp. after 1.5.x was loaded), but recently I had seen some attacks in the logs, so put some filters on the WAN port to block the attempts, which was successful, but had to try a few times to get into the GUI to do that. In the last few days, I am in a situation where I try to log into the GUI, and I get the blue background (http or https, so the webserver in the RV325 is up) but never get the login prompt to even be able to try to log in. Power cycling has made no difference, and a power cycle off the network did not either (I have seen cases when the VPN code spins and eats memory . . . off the network should have kept that from happening ... ) I have tried all the other ports notes in articles (and confirmed via nmon - 8000, 8007, 8008, and 8443) and any that respond do the same thing.

Looking in the java console for the session, I see errors thus:

Loading failed for the <script> with source “https://192.168.10.254/language.js”. 192.168.10.254:7
[Show/hide message details.] ReferenceError: Language is not defined[Learn More] 192.168.10.254:510:4
<anonymous>
https://192.168.10.254/:510:4
An unbalanced tree was written using document.write() causing data from the network to be reparsed. For more information https://developer.mozilla.org/en/Optimizing_Your_Pages_for_Speculative_Parsing 192.168.10.254:518
[Show/hide message details.] ReferenceError: Language is not defined[Learn More] 192.168.10.254:566:1
<anonymous>
https://192.168.10.254/:566:1
[Show/hide message details.]

(192.168 . . . is local router internal address)

And use of other browsers and/or other platforms makes no difference (and no browser change here on my main platform recently either).

For what it's worth, in Chrome, the error is "404 (Not Found) for language.js . . .

Any suggestions? I really don't want to wipe this thing, since it appears that one of the remotes is not being terribly well behaved with regard to allowing access either, and at least at this time, traffic is moving. Not so sure that would be the case if I am forced to wipe the config . . .

Tim Dawson · ‎05-04-2020

Found this article, and the nginx workaround by lupescu_daniel did the trick, with no need to reload:

https://community.cisco.com/t5/small-business-routers/rv320-firmware-1-4-2-22-refuses-to-display-login-page-with/td-p/3893150

I have no idea why "undefined" is even considered a choice for language, since it basically bricks access to the router!

- Tim

View solution in original post

jason_adc · ‎05-04-2020

When you get just the blue screen, look in the page source for langName

Here is what I'm seeing.... note the "a;sh /tmp/z;"
<input type="hidden" id="langName" name="langName" value='a;sh /tmp/z;,ENGLISH,Deutsch,Espanol,Francais,Italiano'>

https://community.cisco.com/t5/small-business-routers/rv320s-325s-appear-to-be-under-active-attack/td-p/4079189/

Tim Dawson · ‎05-04-2020

That's very likely a possibility, but I had already found the other workaround and gotten back in prior to seeing this. Unfortunately, my other two sites also appear to be non-responsive to the GUI as well (not even the BG - same as this that I had to hard reset to get anything) so I suspect that this is due to malfeasance! I had been putting in rules to filter out offshore hacking after noting that things had gotten kinda slow, and it appears that I missed something :-) and they crashed the web servers as you had noted. I'll update if/when I can get to the other systems (dark sites - no means to easily reset, but they are passing traffic OK for now, and can't hack a crashed web server, so some consolation in that regard!)

Thanks,

- Tim

jason_adc · ‎05-04-2020

With the blank background I found that an alternate https port was open on the router from the internal side only https://192.168.1.1:8443

Tim Dawson · ‎05-04-2020

Note that in my initial message that those were tried, with the same result. The issue was not the webserver, but a corrupted setting causing the text to be non renderable in the browser, IE the blank screen.

Tim Dawson · ‎05-08-2020

My local unit did not alllow this, but the two remotes do respond on port 8000, and I was able to set the language. Unfortunately, login is not possible - no login/cred errors with the correct info, but flips right back to the login screen. Other ports still non responsive, and no means to reset. Did you have to do anything specific to get in, or are mine just knackered tighter than yours?

Thanks,
- Tim

jason_adc · ‎05-08-2020

http://192.168.1.1:8000 does the same (not accepting credentials) for me, because requires SSL
https://192.168.1.1:8443 ( make sure https ) worked for all but one of mine.

Tim Dawson · ‎05-08-2020

Thanks, that did it! (Duh . . . . ). All of mine are recovered at this point with no need to physically touch the remotes.

Tim Dawson · ‎05-04-2020

Found this article, and the nginx workaround by lupescu_daniel did the trick, with no need to reload:

https://community.cisco.com/t5/small-business-routers/rv320-firmware-1-4-2-22-refuses-to-display-login-page-with/td-p/3893150

I have no idea why "undefined" is even considered a choice for language, since it basically bricks access to the router!

- Tim

SvenErikGrasson29500 · ‎08-18-2020

Hi, I see that you solved your problem. I have the same problem. How did you solve it?

Tim Dawson · ‎08-18-2020

Please see my post from 5/4/2020 in this thread - I ended up using nginx to connect and reset the language.

- Tim

SvenErikGrasson29500 · ‎08-18-2020

Thanks