Possible attack on Radius server?
Hello, I have a USG110 and I'm seeing malicious activity on it. First of all, sadly I'm still on firmware 4.25 but I can't update it at the moment, so forgive me if there's a vulnerability already closed in later firmwares.
-Some China IP are logging in with normal users accounts as you can see in the first screenshot. Normal users can't do anything so they only activate an SSL connection with nothing in it. Now I already changed all users passwords.
-After these logins, I noticed enabling Radius server several times (second screenshot), but when I went to "System"->"Auth. Server" there was nothing there and the checkbox was disabled.
-Please note that all the other config changes you see in the screenshots were made by me.
So my question is, what could possibly do that Radius server activation? Is there any known vulnerability in the wild that can enable it without admin permissions? What are the security implications of Radius server?
One last thing, I noticed the same behaviour after this news, so maybe it's linked to this.
Thanks for your help
0
All Replies
-
Hi @weasel
The log is come from User database has been changed.
According to this part, we have enhanced log output.
System will display user account database change log and also include operater account and source address.
You can upgrade your firmware to latest version first.
0
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 74 Security Highlight
