Possible attack on Radius server?
Options
Hello, I have a USG110 and I'm seeing malicious activity on it. First of all, sadly I'm still on firmware 4.25 but I can't update it at the moment, so forgive me if there's a vulnerability already closed in later firmwares.
-Some China IP are logging in with normal users accounts as you can see in the first screenshot. Normal users can't do anything so they only activate an SSL connection with nothing in it. Now I already changed all users passwords.
-After these logins, I noticed enabling Radius server several times (second screenshot), but when I went to "System"->"Auth. Server" there was nothing there and the checkbox was disabled.
-Please note that all the other config changes you see in the screenshots were made by me.
So my question is, what could possibly do that Radius server activation? Is there any known vulnerability in the wild that can enable it without admin permissions? What are the security implications of Radius server?
One last thing, I noticed the same behaviour after this news, so maybe it's linked to this.
Thanks for your help
0
All Replies
-
Hi @weasel
The log is come from User database has been changed.
According to this part, we have enhanced log output.
System will display user account database change log and also include operater account and source address.
You can upgrade your firmware to latest version first.
0
Zyxel Employee
Categories
- All Categories
- 384 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 80 Nebula Status and Incidents
- 5.1K Security
- 74 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 70 Switch Ideas
- 907 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 334 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 886 Nebula FAQ
- 415 Security FAQ
- 228 Switch FAQ
- 198 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 63 Security Highlight
