What's new

I would like to kill some of the processes permanently

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

johnathonm

Regular Contributor
Hello,

I am running the following processes on the router, many of which I am sure I do not need. However, I am not sure which are safe to kill and the best way to kill them at startup. Could you guys help me identify which can be shut down and how to do it properly? Below is the output of my ps:

AT COMMAND
1 Camus198 9356 S /sbin/init
2 Camus198 0 SW [kthreadd]
3 Camus198 0 SW [ksoftirqd/0]
5 Camus198 0 SW< [kworker/0:0H]
7 Camus198 0 SW [rcu_preempt]
8 Camus198 0 SW [rcu_sched]
9 Camus198 0 SW [rcu_bh]
10 Camus198 0 SW [migration/0]
11 Camus198 0 SW [watchdog/0]
12 Camus198 0 SW [watchdog/1]
13 Camus198 0 SW [migration/1]
14 Camus198 0 SW [ksoftirqd/1]
15 Camus198 0 SW [kworker/1:0]
16 Camus198 0 SW< [kworker/1:0H]
17 Camus198 0 SW< [khelper]
18 Camus198 0 SW [kdevtmpfs]
19 Camus198 0 SW< [writeback]
20 Camus198 0 SW [kworker/0:1]
21 Camus198 0 SWN [ksmd]
22 Camus198 0 SW< [crypto]
23 Camus198 0 SW< [bioset]
24 Camus198 0 SW< [kblockd]
25 Camus198 0 DW [skbFreeTask]
26 Camus198 0 SW [bcmFapDrv]
27 Camus198 0 SWN [kswapd0]
28 Camus198 0 SW [fsnotify_mark]
50 Camus198 0 SW [kworker/u4:1]
53 Camus198 0 SW [btnhandler0]
54 Camus198 0 SW [btnhandler1]
55 Camus198 0 SW [btnhandler2]
57 Camus198 0 SW< [linkwatch]
58 Camus198 0 SW< [ipv6_addrconf]
59 Camus198 0 SW< [deferwq]
60 Camus198 0 SW [ubi_bgt0d]
168 Camus198 0 SWN [jffs2_gcd_mtd2]
202 Camus198 0 SW [bcmFlwStatsTask]
206 Camus198 0 SW [bcmsw_rx]
207 Camus198 0 SW [bcmsw]
215 Camus198 0 SW [pdc_rx]
283 Camus198 18504 S /bin/swmdk
296 Camus198 1568 S {wdtctl} wdtd
320 Camus198 1712 S hotplug2 --persistent --no-coldplug
568 Camus198 0 SW [dhd_watchdog_th]
569 Camus198 0 SW [wfd0-thrd]
574 Camus198 0 SW [dhd_watchdog_th]
575 Camus198 0 SW [wfd1-thrd]
591 Camus198 8428 S console
593 Camus198 3368 S /bin/sh
597 Camus198 0 SWN [jffs2_gcd_mtd8]
648 Camus198 0 SW [kworker/0:2]
650 Camus198 0 SW [kworker/1:2]
652 Camus198 3364 S /sbin/syslogd -m 0 -S -O /tmp/syslog.log -s 256 -l 7
654 Camus198 3364 S /sbin/klogd -c 5
695 Camus198 8428 S /sbin/wanduck
700 Camus198 11260 S nt_monitor
701 Camus198 5280 S protect_srv
702 Camus198 16620 S /sbin/netool
715 Camus198 9176 S nt_center
719 Camus198 2328 S dropbear -p 192.168.1.1:22255 -j -k
721 Camus198 2456 S dropbear -p 192.168.1.1:22255 -j -k
722 Camus198 2804 S /bin/eapd
724 Camus198 3404 S nas
725 Camus198 8428 S wpsaide
726 Camus198 4152 S /usr/sbin/wlc_nt
732 Camus198 2736 S /usr/sbin/dhd_monitor
733 Camus198 4512 S /usr/sbin/wlceventd
741 Camus198 3368 S -sh
757 Camus198 3364 S crond -l 9
759 Camus198 8240 S httpds -s -i br0 -p 8443
760 Camus198 8240 S httpd -i br0
764 Camus198 5292 S vis-dcon
771 Camus198 4680 S vis-datacollector
772 Camus198 2756 S /usr/sbin/infosvr br0
776 Camus198 2572 S sysstate
777 Camus198 8428 S watchdog
785 Camus198 4148 S rstats
818 Camus198 3088 S lld2d br0
862 Camus198 23724 S vis-dcon
905 Camus198 6176 S networkmap --bootwait
908 Camus198 8428 S bwdpi_check
920 Camus198 8428 S erp_monitor
926 Camus198 3476 S lldpd -L /usr/sbin/lldpcli -I eth1,eth2,eth3,eth4,et
929 nobody 3248 S lldpd -L /usr/sbin/lldpcli -I eth1,eth2,eth3,eth4,et
932 Camus198 4636 S nt_actMail
992 Camus198 8532 S cfg_server
1207 Camus198 2456 S dropbear -p 192.168.1.1:22255 -j -k
1325 Camus198 0 SW [scsi_eh_0]
1326 Camus198 0 SW< [scsi_tmf_0]
1327 Camus198 0 SW [usb-storage]
1346 Camus198 8428 S usbled
1347 Camus198 13664 S u2ec
1358 Camus198 0 SW [kworker/u4:2]
1392 Camus198 0 SW [jbd2/sda1-8]
1393 Camus198 0 SW< [ext4-rsv-conver]
1404 Camus198 0 SW< [kworker/0:1H]
1515 Camus198 3368 S -sh
1696 Camus198 0 SW< [kworker/1:1H]
1888 Camus198 8428 S ntp
1917 Camus198 1916 S /bin/mcpd
1955 Camus198 8428 S disk_monitor
2170 Camus198 38136 S < dcd -i 3600 -p 43200 -b -d /tmp/bwdpi/
2181 Camus198 15692 S wred -B
2303 Camus198 8428 S bwdpi_wred_alive
2424 Camus198 3364 S /sbin/udhcpc -i eth0 -p /var/run/udhcpc0.pid -s /tmp
13260 nobody 35212 S dnsmasq --log-async
15347 nobody 4920 S pixelserv-tls 192.168.1.2
17528 Camus198 3368 R ps


Thanks for your guidance.

J
 
It really depends on what you need and don’t need, until you figure that out no one is able to help you.

Generally just turn off features you don’t need in the web UI and you should see a decrease in number of running processes.
 
May I ask why?
The larger the surface area, the greater the risk of exploit. Many of these modules are older versions and have had security holes patched in them in later versions.
 
The larger the surface area, the greater the risk of exploit. Many of these modules are older versions and have had security holes patched in them in later versions.

Name one of these modules.

You’ll be better off securing your local network via segmentation than worrying about which process to kill because “it increases the attack surface”.
 
Name one of these modules.

You’ll be better off securing your local network via segmentation than worrying about which process to kill because “it increases the attack surface”.

Sorry, didn't include your quote.
 
Sorry, didn't include your quote.

Camus1981@RT-AC86U-2B48:/jffs# mcpd
main:mcpd_netlink_init failed
mcpd_control_socket_init:bind() to port 47753 error, Address already in use
main:mcpd_control_socket_init failed
mcpd_igmp_proxy_init:Error mcpd_igmp_init
main:mcpd_igmp_proxy_init failed
mcpd_mld_proxy_init:Error mcpd_mld_init
main:mcpd_mld_proxy_init failed
 
I'm not sure what point you're trying to make. mcpd appears to be a proprietary Broadcom binary that handles multicast igmp, nothing to do with Memcached.
 
Memcache Proxy Daemon, /bin/mcpd (https://en.wikipedia.org/wiki/Memcached#Used_as_a_DDoS_Attack_Vector), lpd, wanduck, eapd, they all have ports open to the internet through the firewall, those are just the ones I checked. I killed some others.

Like @ColinTaylor said, memcached is distinct from mcpd.

Of all the ones you've listed, lpd (LPRng) is the only one that's open source and third party, therefore possible to have patches to be applied (otherwise Asus would have to patch them and Merlin would pull them in, which he does frequently).

Looking at LPRng source code, the project itself haven't been updated since 2012, and doesn't seem like it has known but unfixed vulnerabilities either, so I'm not sure what you think needs patching. If you don't have a use for USB printer sharing, you can disable lpd like this. Of course if you know of a specific vulnerability you're welcome to report it and I or other members on the forum would be happy to take a look and see if its applicable to asuswrt.

I appreciate the effort trying to minimize the attack surface, but it'll be more fruitful if you focus on other parts like making sure there are no open ports exposed to WAN, proper ACL for web UI, IoT devices on a guest network, use Skynet to block malicious IPs etc.
 
I appreciate the effort trying to minimize the attack surface, but it'll be more fruitful if you focus on other parts like making sure there are no open ports exposed to WAN...
But that's the point isn't it. The processes he mentioned don't "have ports open to the internet".
 
Memcache Proxy Daemon, /bin/mcpd (https://en.wikipedia.org/wiki/Memcached#Used_as_a_DDoS_Attack_Vector), lpd, wanduck, eapd, they all have ports open to the internet through the firewall, those are just the ones I checked. I killed some others.

That's not what mcpd is... It's Broadcom's proprietary Multicast Proxy Daemon. EAPD and Wanduck are all part of the base firmware code as well and should not be terminated.

The firmware isn't a regular Linux distro, it's a tightly integrated environment. Everything that runs does so because it's required by the firmware.
 
These processes could be killed.

/jffs/scripts/init-start
Code:
#!/bin/sh

deny_access() {
  local FILEPATH="$1"
  local FILENAME="$(/usr/bin/basename $FILEPATH)"
  local FILEEXT="${FILENAME##*.}"
  if [ "$FILEEXT" == "ko" ]; then
    local MODULENAME="${FILENAME%.*}"
    local FILEPATH="/lib/modules/$(/bin/uname -r)/$(/sbin/modprobe -l $MODULENAME)"
    if [ -f "$FILEPATH" ] && [ ! -h "$FILEPATH" ]; then
      /sbin/lsmod | /bin/grep -qF $MODULENAME && /sbin/modprobe -r $MODULENAME && /bin/usleep 250000
      /bin/mount -o bind /dev/null "$FILEPATH"
    fi
  else
    if [ -f "$FILEPATH" ] && [ ! -h "$FILEPATH" ]; then
      [ -n "$(/bin/pidof $FILENAME)" ] && /usr/bin/killall $FILENAME && /bin/usleep 250000
      /bin/mount -o bind /dev/null "$FILEPATH"
    fi
  fi
}

# disable automatic loading of drivers and programs
deny_access option.ko
deny_access usb_wwan.ko
deny_access drxvi314.ko
deny_access /usr/sbin/find_modem_node.sh
deny_access /usr/sbin/find_modem_type.sh
deny_access /usr/sbin/getrealip.sh
deny_access /usr/sbin/gettunnelip.sh
deny_access /usr/sbin/ministun
deny_access /usr/sbin/gobi_update.sh
deny_access /usr/sbin/modem_at.sh
deny_access /usr/sbin/modem_autoapn.sh
deny_access /usr/sbin/modem_enable.sh
deny_access /usr/sbin/modem_status.sh
deny_access /usr/sbin/modem_stop.sh
deny_access /usr/sbin/chat
deny_access /usr/sbin/lld2d
deny_access /usr/sbin/lldpd
deny_access /bin/mcpd
 
These processes could be killed.

/jffs/scripts/init-start
Code:
#!/bin/sh

deny_access() {
  local FILEPATH="$1"
  local FILENAME="$(/usr/bin/basename $FILEPATH)"
  local FILEEXT="${FILENAME##*.}"
  if [ "$FILEEXT" == "ko" ]; then
    local MODULENAME="${FILENAME%.*}"
    local FILEPATH="/lib/modules/$(/bin/uname -r)/$(/sbin/modprobe -l $MODULENAME)"
    if [ -f "$FILEPATH" ] && [ ! -h "$FILEPATH" ]; then
      /sbin/lsmod | /bin/grep -qF $MODULENAME && /sbin/modprobe -r $MODULENAME && /bin/usleep 250000
      /bin/mount -o bind /dev/null "$FILEPATH"
    fi
  else
    if [ -f "$FILEPATH" ] && [ ! -h "$FILEPATH" ]; then
      [ -n "$(/bin/pidof $FILENAME)" ] && /usr/bin/killall $FILENAME && /bin/usleep 250000
      /bin/mount -o bind /dev/null "$FILEPATH"
    fi
  fi
}

# disable automatic loading of drivers and programs
deny_access option.ko
deny_access usb_wwan.ko
deny_access drxvi314.ko
deny_access /usr/sbin/find_modem_node.sh
deny_access /usr/sbin/find_modem_type.sh
deny_access /usr/sbin/getrealip.sh
deny_access /usr/sbin/gettunnelip.sh
deny_access /usr/sbin/ministun
deny_access /usr/sbin/gobi_update.sh
deny_access /usr/sbin/modem_at.sh
deny_access /usr/sbin/modem_autoapn.sh
deny_access /usr/sbin/modem_enable.sh
deny_access /usr/sbin/modem_status.sh
deny_access /usr/sbin/modem_stop.sh
deny_access /usr/sbin/chat
deny_access /usr/sbin/lld2d
deny_access /usr/sbin/lldpd
deny_access /bin/mcpd

Thank you all and, regardless, it's been a good conversation topic.
 
Like @ColinTaylor said, memcached is distinct from mcpd.

Of all the ones you've listed, lpd (LPRng) is the only one that's open source and third party, therefore possible to have patches to be applied (otherwise Asus would have to patch them and Merlin would pull them in, which he does frequently).

Looking at LPRng source code, the project itself haven't been updated since 2012, and doesn't seem like it has known but unfixed vulnerabilities either, so I'm not sure what you think needs patching. If you don't have a use for USB printer sharing, you can disable lpd like this. Of course if you know of a specific vulnerability you're welcome to report it and I or other members on the forum would be happy to take a look and see if its applicable to asuswrt.

I appreciate the effort trying to minimize the attack surface, but it'll be more fruitful if you focus on other parts like making sure there are no open ports exposed to WAN, proper ACL for web UI, IoT devices on a guest network, use Skynet to block malicious IPs etc.

kfp,

Thank you for your kindness in this matter. I guess I am being overzealous and you are right about going about this by other means. I do have skynet up and it's busier than ever.

Thank you,

J
 
  • Like
Reactions: kfp
That's not what mcpd is... It's Broadcom's proprietary Multicast Proxy Daemon. EAPD and Wanduck are all part of the base firmware code as well and should not be terminated.

The firmware isn't a regular Linux distro, it's a tightly integrated environment. Everything that runs does so because it's required by the firmware.

Hello Merlin,

I apologize, you would know best. I am just being paranoid and overly zealous. What you just told me really cleared my head and reminded me what I am dealing with here. I thank you for your time and hard work.

-J
 
These processes could be killed.

gettunnelip and ministun are used by the webui to display the public IP at the remote end of an OpenVPN tunnel. Preventing access to these two files will prevent that from working properly.

I wouldn't mess with mcpd either. Since it's part of Broadcom's SDK, it might create problems if you prevent access to it.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top