USG FLEX50W (20W-VPN) Factory Reset Not "5 Seconds" as stated in Manual
Last Saturday, I attempted to perform Factory Reset of USG20W-VPN, since it was compromised with unknown administrators in the User list, on older FW (prior to 5.39).
Below is from the manual (PG 912):
1I Make sure the SYS LED is on and not blinking.
2) Press the RESET button and hold it until the SYS LED begins to blink. (This usually takes about five seconds.)
3) Release the RESET button, and wait for the Zyxel Device to restart.
You should be able to access the Zyxel Device using the default settings.
I previously had held it 25 Seconds, with SYS LED not coming back on, and after releasing it began to flash. I rebuilt the entire configuration (thinking it RESET to factory), but suffered the same loss of service after two hours of deployment, due to suspicious activity in Session Log Wiz_VPN.
Today, I once again performed a Factory RESET, and low and behold after 35 seconds the SYS LED flashed while depressing the RESET Switch. I again rebuilt the configuration, without risking previous conf file might contain reference to bot.
Router has been running 1.5 hours, and traffic is pretty much flat lined, (which I would expect because office is closed). Don't beleive everything you read.
All Replies
-
Thank you for the feedback. Very interesting.
0 -
Thanks for your comments! I hope someone benefits from my loss of many hours rebuilding twice, to eliminate the hidden VPN BOT, installed by hacker.
0 -
Hi @SierraTech,
After checking, the User's guide mentions that the time the user presses the reset button to factory reset is about 5 seconds, which is correct information. Additionally, the SYS LED might not blink after you release the reset button since the firewall will reboot after the factory reset process. You can verify if you can log in to the firewall with the default admin & password after the factory reset. The reason your firewall had that configuration is more likely because the admin's password was still the same as before.
In addition, we also released a new patch that fixed some vulnerabilities last week. We recommend you upgrade to this latest version:
0 -
Thanks for information.!
However I have images of unknown traffic being sent out as VPN Traffic after attempting Factory RESET 25 seconds, and rebuilding configuration:
Unknow VPN Traffic
Example of TX Data before OFFICE Opened
Unknown traffic has disappeared after 35 Second Factory Reset. Is it possible Manual is based minimum configuration, as opposed to a compromised Router?
I also had a bad Modem which caused network to drop a few hours after reboot. I isolated that issue after repairing Router.
0 -
About your "sessions by services" screenshot.
This is not "vpn traffic": "services", there, means "ports".
"Wiz_SSLVPN" is only a name for TCP port 443. The line you show tells that 192.168.*.* device has an https connection with destination. The only thing I don't understand is why the "user" column shows "admin".
In my devices it shows "-" (none). And my condition makes more sense: internal machine estabilishes a connection, It's only traffic routed by firewall device
Why in your log it's marked as "admin"?
0 -
Thanks for clarification on Port 443. I also discovered today a Factory RESET only purges Active firmware partition. I updated 5.38 Partition to 5.39(arb.1) and when I rebooted to the new firmware, I witnessed the same malicious traffic, so I aborted and switched back to 5.39(arb.0) until I can Factory RESET the other partition.
Again I observed 'admin" traffic immediately (see below):
I will need to take Router offline and bring to my home office, and clean it out!
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 145 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 239 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight