USG FLEX50W (20W-VPN) Factory Reset Not "5 Seconds" as stated in Manual

SierraTech
SierraTech Posts: 43  Freshman Member
First Comment Friend Collector Sixth Anniversary

Last Saturday, I attempted to perform Factory Reset of USG20W-VPN, since it was compromised with unknown administrators in the User list, on older FW (prior to 5.39).

Below is from the manual (PG 912):

1I Make sure the SYS LED is on and not blinking.
2) Press the RESET button and hold it until the SYS LED begins to blink. (
This usually takes about five seconds.)
3) Release the RESET button, and wait for the Zyxel Device to restart.
You should be able to access the Zyxel Device using the default settings.

I previously had held it 25 Seconds, with SYS LED not coming back on, and after releasing it began to flash. I rebuilt the entire configuration (thinking it RESET to factory), but suffered the same loss of service after two hours of deployment, due to suspicious activity in Session Log Wiz_VPN.

Today, I once again performed a Factory RESET, and low and behold after 35 seconds the SYS LED flashed while depressing the RESET Switch. I again rebuilt the configuration, without risking previous conf file might contain reference to bot.

Router has been running 1.5 hours, and traffic is pretty much flat lined, (which I would expect because office is closed). Don't beleive everything you read.

All Replies

  • smb_corp_user
    smb_corp_user Posts: 168  Master Member
    5 Answers First Comment Friend Collector Second Anniversary

    Thank you for the feedback. Very interesting.

  • SierraTech
    SierraTech Posts: 43  Freshman Member
    First Comment Friend Collector Sixth Anniversary

    @smb_corp_user

    Thanks for your comments! I hope someone benefits from my loss of many hours rebuilding twice, to eliminate the hidden VPN BOT, installed by hacker.

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,526  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    edited November 18

    Hi @SierraTech,

    After checking, the User's guide mentions that the time the user presses the reset button to factory reset is about 5 seconds, which is correct information. Additionally, the SYS LED might not blink after you release the reset button since the firewall will reboot after the factory reset process. You can verify if you can log in to the firewall with the default admin & password after the factory reset. The reason your firewall had that configuration is more likely because the admin's password was still the same as before.

    In addition, we also released a new patch that fixed some vulnerabilities last week. We recommend you upgrade to this latest version:

    Zyxel Melen


  • SierraTech
    SierraTech Posts: 43  Freshman Member
    First Comment Friend Collector Sixth Anniversary

    @Zyxel_Melen

    Thanks for information.!

    However I have images of unknown traffic being sent out as VPN Traffic after attempting Factory RESET 25 seconds, and rebuilding configuration:

    Unknow VPN Traffic

    Example of TX Data before OFFICE Opened

    Unknown traffic has disappeared after 35 Second Factory Reset. Is it possible Manual is based minimum configuration, as opposed to a compromised Router?

    I also had a bad Modem which caused network to drop a few hours after reboot. I isolated that issue after repairing Router.

  • valerio_vanni
    valerio_vanni Posts: 104  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    About your "sessions by services" screenshot.

    This is not "vpn traffic": "services", there, means "ports".

    "Wiz_SSLVPN" is only a name for TCP port 443. The line you show tells that 192.168.*.* device has an https connection with destination. The only thing I don't understand is why the "user" column shows "admin".

    In my devices it shows "-" (none). And my condition makes more sense: internal machine estabilishes a connection, It's only traffic routed by firewall device

    Why in your log it's marked as "admin"?

  • SierraTech
    SierraTech Posts: 43  Freshman Member
    First Comment Friend Collector Sixth Anniversary

    @valerio_vanni

    Thanks for clarification on Port 443. I also discovered today a Factory RESET only purges Active firmware partition. I updated 5.38 Partition to 5.39(arb.1) and when I rebooted to the new firmware, I witnessed the same malicious traffic, so I aborted and switched back to 5.39(arb.0) until I can Factory RESET the other partition.

    Again I observed 'admin" traffic immediately (see below):

    I will need to take Router offline and bring to my home office, and clean it out!

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,526  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @SierraTech,

    Can I ask again about the remote PC? Our team wants to do a deep check on your case. If possible, please share the new information in the previous private message we used to communicate. Thanks!

    Zyxel Melen


  • SierraTech
    SierraTech Posts: 43  Freshman Member
    First Comment Friend Collector Sixth Anniversary

    @Zyxel_Melen

    Just to clarify, are you asking for remote access?

    I don’t want to switch to 5.39(arb.1) partition due to all the malicious traffic that caused us huge issues, including having ISP change Public IP address due to the continuous attack on previous IP address.

    I could take router offline and move to my LAN as the WAN to block malicious outgoing traffic, and provide access in a sandbox environment.

    I have spent several hours manually rebuilding configuration twice, due to failed factory reboot, and this will be an expensive invoice for my client. I plan to sandbox the router, switch to infected partition and perform Factory Reset to clean out remaining BOTNETS! Then load my latest configuration from previous partition.

    Let me know if you wish to have access, and I will try to make it happen as soon as I can. Our weather (SNOW) will be tough the next 2 days so I’m not sure we can do it this week.

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,526  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @SierraTech,

    Yes, we want remote access. We will have a deeper check and won't change any configuration or firmware. Please feel free to arrange it at any time. We will wait for your update.

    Zyxel Melen


  • SierraTech
    SierraTech Posts: 43  Freshman Member
    First Comment Friend Collector Sixth Anniversary

    @Zyxel_Melen

    I will PM you next week, after local business hours when I set this up in the office. I need to switch back to 5.39(arb.1) partition, and will change IP address back to address that was attacked so existing BOTNET does not communicate over new Public IP.

    After you view BOTNET malicious traffic, I plan to remove the Router from WAN, and perform Factory RESET on Partition with firmware 5.39(arb.1), unless you direct otherwise.

    Thanks for the help, this has been a pain!

Security Highlight