I found a user automatically created from anonymous account

Options
Antares3000
Antares3000 Posts: 20  Freshman Member
In my log i found this:

                         

     username:zyxelmd, usertype:admin, action:create. (Account: )


I checked in users section and i really found they new user zyxelmd

I checked all the others log available and i didn't find any other login account. Nobody entered in configuration settings. There is only one admin user configured and it owns 2 forms authentication. 

I also disabled VPN connection, I deleted this user but i got it other 2 times.

What is happening? 

It is a very strange issue

I m worried it could be a firewall bug...

Can you let me know please?

I'm using ATP700

Regards

Claudio


All Replies

  • Pnagy
    Pnagy Posts: 4
    First Anniversary First Comment
    Options
    Same. Two days ago Flex200 fw. 5.21 new unknow user (security issue?)

    2022-05-17 09:33:53,    ,      ,     alert   ,user  ,CONFIG CHANGE   ,    ,     ,      ,     username:system, usertype:admin, action:create. (Account: )

    Next day in log (same) new username: zyxelmd

    But this user (zyxelmd) not list in users and saved config, only username:"system" see in the config
    And the firewall not accessible via https web, and ssl vpn unusable. (need reboot local)
    I see the config file changes, changes: new (unknow) user, and new line cloud-helper set remind never

    After I change the ports https, ssl vpn, now reload "old" config, and upgrade fw to 5.30

    Anyone tip or advice?

    Thak you

    Regards

    Peter


  • Zyxel_Kevin
    Zyxel_Kevin Posts: 761  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 2022
    Options
    We usually suggest upgrade the firmware up to date due to security issue.
    Please kindly upgrade to the latest firmware.
    Kevin

  • AnonymousBusiness
    Options
    I found 5.20 usg50 flex zyxelmd and system users in configuration file. One created 19-5-2022 and other 17-5-2022.

    Admin password is not breached. Please tell how to proceed.
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 761  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @AnonymousBusiness,
    Please kindly upgrade the firmware to 5.30.You can also find the Security Advisory .
    Thank you
    Kevin

  • AG_DM
    AG_DM Posts: 2
    edited May 2022
    Options
    Hello!
    I have same problem on flex500. All ports was changed, but i found them over ssh.
    I found user "zyxelmd" and "system", which was maked 16 may 2022. All was deleted.
    My users were not changed.
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 761  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 2022
    Options
    Hi @AG_DM
    Please kindly upgrade your firewall to ZLD5.30 asap.
    feel free to contact us if you have concern.
    Kevin

Security Highlight