USG FLEX50W (20W-VPN) Factory Reset Not "5 Seconds" as stated in Manual
Last Saturday, I attempted to perform Factory Reset of USG20W-VPN, since it was compromised with unknown administrators in the User list, on older FW (prior to 5.39).
Below is from the manual (PG 912):
1I Make sure the SYS LED is on and not blinking.
2) Press the RESET button and hold it until the SYS LED begins to blink. (This usually takes about five seconds.)
3) Release the RESET button, and wait for the Zyxel Device to restart.
You should be able to access the Zyxel Device using the default settings.
I previously had held it 25 Seconds, with SYS LED not coming back on, and after releasing it began to flash. I rebuilt the entire configuration (thinking it RESET to factory), but suffered the same loss of service after two hours of deployment, due to suspicious activity in Session Log Wiz_VPN.
Today, I once again performed a Factory RESET, and low and behold after 35 seconds the SYS LED flashed while depressing the RESET Switch. I again rebuilt the configuration, without risking previous conf file might contain reference to bot.
Router has been running 1.5 hours, and traffic is pretty much flat lined, (which I would expect because office is closed). Don't beleive everything you read.
All Replies
-
Thank you for the feedback. Very interesting.
0 -
Thanks for your comments! I hope someone benefits from my loss of many hours rebuilding twice, to eliminate the hidden VPN BOT, installed by hacker.
0 -
Hi @SierraTech,
After checking, the User's guide mentions that the time the user presses the reset button to factory reset is about 5 seconds, which is correct information. Additionally, the SYS LED might not blink after you release the reset button since the firewall will reboot after the factory reset process. You can verify if you can log in to the firewall with the default admin & password after the factory reset. The reason your firewall had that configuration is more likely because the admin's password was still the same as before.
In addition, we also released a new patch that fixed some vulnerabilities last week. We recommend you upgrade to this latest version:
Zyxel Melen0 -
Thanks for information.!
However I have images of unknown traffic being sent out as VPN Traffic after attempting Factory RESET 25 seconds, and rebuilding configuration:
Unknow VPN Traffic
Example of TX Data before OFFICE Opened
Unknown traffic has disappeared after 35 Second Factory Reset. Is it possible Manual is based minimum configuration, as opposed to a compromised Router?
I also had a bad Modem which caused network to drop a few hours after reboot. I isolated that issue after repairing Router.
0 -
About your "sessions by services" screenshot.
This is not "vpn traffic": "services", there, means "ports".
"Wiz_SSLVPN" is only a name for TCP port 443. The line you show tells that 192.168.*.* device has an https connection with destination. The only thing I don't understand is why the "user" column shows "admin".
In my devices it shows "-" (none). And my condition makes more sense: internal machine estabilishes a connection, It's only traffic routed by firewall device
Why in your log it's marked as "admin"?
0 -
Thanks for clarification on Port 443. I also discovered today a Factory RESET only purges Active firmware partition. I updated 5.38 Partition to 5.39(arb.1) and when I rebooted to the new firmware, I witnessed the same malicious traffic, so I aborted and switched back to 5.39(arb.0) until I can Factory RESET the other partition.
Again I observed 'admin" traffic immediately (see below):
I will need to take Router offline and bring to my home office, and clean it out!
0 -
Hi @SierraTech,
Can I ask again about the remote PC? Our team wants to do a deep check on your case. If possible, please share the new information in the previous private message we used to communicate. Thanks!
Zyxel Melen0 -
Just to clarify, are you asking for remote access?
I don’t want to switch to 5.39(arb.1) partition due to all the malicious traffic that caused us huge issues, including having ISP change Public IP address due to the continuous attack on previous IP address.
I could take router offline and move to my LAN as the WAN to block malicious outgoing traffic, and provide access in a sandbox environment.
I have spent several hours manually rebuilding configuration twice, due to failed factory reboot, and this will be an expensive invoice for my client. I plan to sandbox the router, switch to infected partition and perform Factory Reset to clean out remaining BOTNETS! Then load my latest configuration from previous partition.
Let me know if you wish to have access, and I will try to make it happen as soon as I can. Our weather (SNOW) will be tough the next 2 days so I’m not sure we can do it this week.
0 -
Hi @SierraTech,
Yes, we want remote access. We will have a deeper check and won't change any configuration or firmware. Please feel free to arrange it at any time. We will wait for your update.
Zyxel Melen0 -
I will PM you next week, after local business hours when I set this up in the office. I need to switch back to 5.39(arb.1) partition, and will change IP address back to address that was attacked so existing BOTNET does not communicate over new Public IP.
After you view BOTNET malicious traffic, I plan to remove the Router from WAN, and perform Factory RESET on Partition with firmware 5.39(arb.1), unless you direct otherwise.
Thanks for the help, this has been a pain!
1
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 148 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight