What's new

RT-AX88U maxing out a core and regularly showing 60+ MB/s upload

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Similar issue - losing WAN access repeatedly, router crashing. Reset and rebuilt multiple times. New modem from ISP, new cables, new AX86U through warranty. Still occurring until disabling of AiCloud. Odd thing is while monitoring logs a line regarding tainted PPTP VPN caught my eye. I have never enabled the PPTP VPN ...I may have flipped the switch by accident while configuring WireGuard or something one of the hundred times I factory reset and rebuilt this past month. Disabling AiCloud has since solved my issue, but it's been less than 24hrs. Changed 26 character router login, DDNS, eliminated port forwarding.
 
Same issue with my RT-AC86U. Someone in another forum pointed me to this thread last week. I turned off AiCloud at that point and things were better. Turned it back on today and after a bit, I noticed the huge upload. Turned it off and rebooted and I'm good again. I guess I'll wait to turn AiCloud back on until Asus and then Merlin issues some sort of update.
 
I would start looking for AiCloud alternatives instead. It’s obviously one of the targeted by hackers features in Asuswrt.
 
Quick Q; when folks are saying they "Disabled AIcloud", what exactly are they disabling?

I do not have any of the services on, I do not allow WAN access to my Router, but (via Tailscale and sometimes Wireguard) I access my Routers remotely using a VPN. Tailscale does NOT need a DDNS, but Wireguard does, which is why I have left my DDNS operational (backup VPN).

I do not use AICloud to access my Router via the Asus AICloud App or a URL to the ddnsname.asuscomm.com web address..

As DDNS shows up on that AICloud 2.0 Tab, is that considered part of AICloud or "not really" as it is just a DDNS? i.e. do I need to disable that too (and use a different DDNS?)

k.
 

Attachments

  • AICloud.jpg
    AICloud.jpg
    307.2 KB · Views: 46
Last edited:
For me, the only difference between being infected and running for a week plus with no further signs of trouble was turning off "AiCloud Disk". Turn off "AiCloud Disk", delete /tmp/hklp and reboot.

I do have DDNS enabled along with remote ssh access.

RT-AX88U Pro
Current Version : 3004.388.8_2
 
Tailscale does NOT need a DDNS, but Wireguard does, which is why I have left my DDNS operational (backup VPN).
I do not have DDNS enabled or active when using Wireguard server on a RT-AX86U Pro running 3004.388.8_2. Wireguard server seems to run fine with no issues that I've experienced when accessing via remote Wireguard VPN. My broadband IP address rarely if ever has changed so I don't see the need to enable DDNS. As always YMMV.
 
I do not have DDNS enabled or active when using Wireguard server on a RT-AX86U Pro running 3004.388.8_2. Wireguard server seems to run fine with no issues that I've experienced when accessing via remote Wireguard VPN. My broadband IP address rarely if ever has changed so I don't see the need to enable DDNS. As always YMMV.
That’s interesting, thanks. You’re right, many use cases differ, but I do it because of what I read here:
and saw here (it’s Ubiquiti: but same principle for WG).

It’s what attracted me to TS initially, but I do like WG as a backup, which only works if I can rely on the IP address.
 

Attachments

  • IMG_1637.jpeg
    IMG_1637.jpeg
    72.1 KB · Views: 24
I've got an Asus RT-AX3000 (RT-AX58U) with firmware 3.0.0.4.388_25127 and Entware. I think I've got it so that Entware is enabled after a reboot only if I SSH in and run some ln and mount commands. My router joined the botnet starting yesterday morning, and I'm glad I found this thread.

The malware runs 4 processes in a parent/child chain, replaces the stat process names with "sshd", and removes the cmdline from the process tables. I can tell which process is doing the work by running top and seeing which one is using up CPU, and the timing lines up with my internet connection degrading severely. I tried finding out more about what this malware is doing using ps, pstree, and netstat, but didn't get very far. But then I tried tcpdump, and I was able to see in Wireshark that my router was part of a botnet sending a TCP ACK flood with 1360 bytes of junk payload to a hosting provider named HostSG out of Singapore (IP addresses 203.175.172.0 - 203.175.173.255).

I feel bad for the hosting provider. My ISP gives me 20 Mbps upstream bandwidth, but this malware was able to hit 650 Mbps as seen on the router's Traffic Monitor page. I think my ISP gives me bursting upload speed too, which the malware took advantage of by doing the flood for just 20 seconds or so and then waiting 2 or 3 minutes before flooding again.

Anyways, I turned off Asus AiCloud 2.0 Cloud Disk and rebooted the router, but I got hacked again 3 hours later. I've now also turned off Asus AiCloud 2.0 Smart Access and rebooted, and so far I've gone the longest yet without any malware running. Fingers crossed that I'm free and clear now.

BTW, I've got the router log going to my Raspberry Pi through rsyslog, and I noticed in there that the weekly Let's Encrypt and dynamic DNS refresh ran just minutes before the very first time my internet connection degraded (I'm running SmokePing on my Pi). But that could be a coincidence. In the log, the refresh starts with "cmd service restart_letsencrypt" and ends with "Listening for NAT-PMP/PCP traffic".
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top