I can’t figure this out. The IP scan that the PCI Compliance guys ran revealed a vulnerability. On our public IP there is a remote login page of some kind showing up at https://xxx.xxx.xxx.xxx:6500 where the xx’s are our public facing IP address.
If you go to that address there is a page with this login request:
I have InControl turned off and Remote Admin turned off. I went through every other setting in the router looking for something that could be creating this login. I tried my router admin password and it does not work there.
I also power off my router and tried to pull up the page from an external computer and this page goes away when my router is powered off.
Every login to the router should be noted in the Event Log. When this appears, try to login and see if anything shows up in the Event Log.
Make sure it is your router that are talking to. On the support.cgi page create a yellow stripe across the top of the login page. The field is called Login Banner Support.
Hello @Ryan_McQueeney ,
We have done penetration testing on several of our public-facing Peplink routers, and neither the port numbers 60500 nor 6500 show as open at any of the multiple sites we checked.
Is it possible that something between you and your router is doing a port translation?
Happy to Help,
Marcus
Hi @Michael234 Well, it would if it was configured to do so. But some log-ions, e.g., with RA on are not shown at all. Like @mldowling , we checked several different devices and did not find that port to be open. Maybe @TK_Liew or @WeiMing could shed some light on this?
If it is something in the Internet rather than in the router, you could try a VPN. It may be that starting from a different public IP might produce a different result.
Better yet, if possible, take the suspect device offline, connect its WAN to a LAN port of another router and then try to get at WAN port from a device sharing the same LAN. Probably a big pain, but it does insure that the issue is with the router rather than the public Internet.
I may have been wrong. I thought the page was no longer available when I shut down my router or otherwise had it offline but now after more testing it seems the page is available even when my router is down.
I was so keyed in on this as coming from my router because it is a Peplink branded page but
I get my IP address from my landlord and now I’m wondering if they have a Peplink router.
Hello Ryan,
Why not ask them? Maybe you can help your Landlord secure their router.
Here are some guides on Minimum cyber security settings we recommend with Peplink
Out of interest, what was the IP address shown on your WAN connection, is it actually a Private IP as defined in RFC 1918 ?
