RT-AX88U maxing out a core and regularly showing 60+ MB/s upload

[Paliv]

I have never seen the AiCloud services enabled on my routers. My AX88U Pro has always defaulted to disabled on ASUS stock firmware.

 

[Kingp1n]

I have never seen the AiCloud services enabled on my routers. My AX88U Pro has always defaulted to disabled on ASUS stock firmware.

Just confirmed this and my AiCloud is disabled. I believe Samba Share is enabled by default under USB application-->Servers Center but probably not related to this.

 

[jd24]

By the way, if you are going to use Omada SDN and not stand alone GUI - Omada doesn't require local hardware/software controller anymore. There is a new Omada Cloud-Based Controller option with free account. Somewhat limited in features, but can save $100 in hardware.

Omada Cloud-Based Controller

With the Omada Cloud-Based Controller entirely in the cloud, Omada Cloud SDN offers zero-touch provisioning for efficient and affordable deployment and provides centralized management of the network, including access points, switches, and routers.

www.tp-link.com

Well got the omada installed. gatewat 192.168.1.1 (default was 192.168.0.1)

BUT whenever I try to adpot it in the omada cloud or through the controller in a docker container it wipes the router back to its defaults 192.168.0.1 and lose all connection!!
I am missing something big! It's a learning curve.

 

[SmallKiwi]

Of all the folks who have been impacted by this: are any of you using an SSD drive enclosure attached to the router? I was and it's the only newish device I can think of - but it didn't start right away either. Only other thing I am suspicious of is a family member's ancient laptop.

I've installed 3004.388.8_2 fresh and got diversion running again. So far no issues. Only change I've made was disconnecting the suspicious drive enclosures and using a sandisk usb stick instead. So far (~2 hours) so good. I'll wait to see if a problem arises once this laptop gets used again.

 

[Klosiak]

I have had internet connection issues for past two weeks and I was really mad on. Today I noted that my RT-AX86U with the latest Merlin FW, from time to time sends a huge amount of data to WAN (according to traffic monitor more than my HFC connection is capable to transmit) and when it is happening one CPU core is on 100% usage. During this "peaks" internet connection was lost and no internet at all. This was the cause of my problems with internet connection stability. I have downgraded firmware but it helped for 2 hours. Then I have found this thread and based on what was said here I have turned off AiCloud service, DDNS and changed my password. So far so good and my connection is stable and I do not see this WAN upload peaks in the traffic monitor.

 

[ColinTaylor]

Well got the omada installed. gatewat 192.168.1.1 (default was 192.168.0.1)

BUT whenever I try to adpot it in the omada cloud or through the controller in a docker container it wipes the router back to its defaults 192.168.0.1 and lose all connection!!
I am missing something big! It's a learning curve.

Can you continue this conversation in a different thread please rather than hijacking this one. Thanks.

 

[Kingp1n]

Of all the folks who have been impacted by this: are any of you using an SSD drive enclosure attached to the router? I was and it's the only newish device I can think of - but it didn't start right away either. Only other thing I am suspicious of is a family member's ancient laptop.

I've installed 3004.388.8_2 fresh and got diversion running again. So far no issues. Only change I've made was disconnecting the suspicious drive enclosures and using a sandisk usb stick instead. So far (~2 hours) so good. I'll wait to see if a problem arises once this laptop gets used again.

I doubt the ssd would be the culprit specially if it was formatted prior to use. I would lean more to the laptop/device not having latest security updates and/or the router itself having AiCloud enabled by default or forced by the malware.

 

[firecracker]

Of all the folks who have been impacted by this: are any of you using an SSD drive enclosure attached to the router? I was and it's the only newish device I can think of - but it didn't start right away either. Only other thing I am suspicious of is a family member's ancient laptop.

I've installed 3004.388.8_2 fresh and got diversion running again. So far no issues. Only change I've made was disconnecting the suspicious drive enclosures and using a sandisk usb stick instead. So far (~2 hours) so good. I'll wait to see if a problem arises once this laptop gets used again.

No SSD here. Spinning rust attached to mine.

 

[firecracker]

Since I disabled AiCloud, changed my DDNS registry, and rebooted my router I have not seen the issue again. It's only been 24 hours or so though.

I also disconnected the HDD that I had attached and gave it a deep scan with Avira and Malwarebytes. No detections.

I'm guessing that the malware might not survive reboots and would reinfect the router through AiCloud after awhile. This would explain why the issue wouldn't occur for random durations after a reboot.

 

[jd24]

Got my omada ER7206 up and running eventually with controller in docker. Was quite a learning curve.
Will wipe the asus and decomission it as the isp gateway and only use it for wifi mesh at the moment.

 

[SmallKiwi]

So far all is good. AiDisk is the likely culprit. ASUS have a big problem.

 

[doczenith1]

AiCloud - OFF
AiProtection - OFF
SSH Port Forwarding - OFF
OpenVPN server - ON (non-standard port but do see connection attempts)
WireGuard server - ON

I have a small update. I've turned off the OpenVPN server and changed my router's password. I also shut down a computer on my LAN that has active torrents every now and then. I have not seen any spikes and the daily traffic numbers appear to represent actual usage. I'm going to wait a few more days to confirm "normal" operation and then I'll turn the OpenVPN server back on for a few days and monitor. Next I'll add the LAN connected computer and monitor.

Edit: AiCloud has never been on since the router was first put in operation.

 

[goodrip1]

I have a small update. I've turned off the OpenVPN server and changed my router's password. I also shut down a computer on my LAN that has active torrents every now and then. I have not seen any spikes and the daily traffic numbers appear to represent actual usage. I'm going to wait a few more days to confirm "normal" operation and then I'll turn the OpenVPN server back on for a few days and monitor. Next I'll add the LAN connected computer and monitor.

Edit: AiCloud has never been on since the router was first put in operation.

In my case, I noticed /tmp/hklp running and sending obscene amounts of traffic to an IP address registered in Hong Kong.
Same issue found with killing those multiple processes using /tmp/hklp and finding them respawning.
This is what worked for me. Am running 388.8_2
1. Disable AICloud (reckon this is root of original issue). Have DDNS enabled, did not change system password
2. Tried deleting /tmp/hklp but still got spawned processes using a file with that process, but they got ‘cleaned up’ after the processes ran.
3. Tried creating /tmp/hklp manually without executable privilege, then went through and killed all running processes that reported using a process with that name.

Since step 3, and for 5 days, the issue has not persisted. Have rebooted the router several times. I feel that disabling AICloud services and preventing the spawn processes have sorted it for me for now. Will continue to monitor…

 

[dave14305]

sending obscene amounts of traffic to an IP address registered in Hong Kong.

Did you happen to document the address?

 

[Tech9]

My RT-AX86U bait didn't catch any fish.

 

[arturk]

I wanted to report that after turning off AiCloud services last Sunday the issue stopped entirely.
It has been almost a week and no more suspicious outbound traffic.

Here is my thread on my issue:
Suspicious Outgoing traffic on RT-AC86U

 

[goodrip1]

Did you happen to document the address?

Yes, it was 38.180.188.216

 

[JarleH]

So i the conclusion its most likely an attack via Asus AI feature (Disk or Cloud)?

 

[Squall Leonhart]

nothing is conclusive yet.

 

[bennor]

So i the conclusion its most likely an attack via Asus AI feature (Disk or Cloud)?

If its AiCloud related it should be noted that in the 2024/10/16 - 3.0.0.4.388_25119 firmware for the RT-AX5400 there is the following entry in the release notes: "2. Enhanced AiCloud password protection mechanisms, safeguarding against unauthorized access attempts." If that fix is rolled out to other model firmware's will be interesting to see if that fixes the issue some are seeing and reporting in this discussion. (or not)