What's new

RT-AX88U maxing out a core and regularly showing 60+ MB/s upload

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

The same here for a week... with RT-AX86U (Merlin_3004_388.8_2) - a huge upload traffic and CPU load for 100%
top show on the top {sshd}
Downgrade to 3004_388.7_0 - looks stable
It would have been helpful if you had run the following command before you downgraded so that we could have seen if it was malware.
Code:
find / -name sshd
 
OMG, glad I found this discussion, last 8 days this has been driving me nuts and making me anxious going through all my services

1728909497924.png


Let me try find / -name sshd first then downgrade if needed.
 
If you have the "sshd" process running, under normal circumstances that would be the OpenSSH server daemon (i.e. /opt/sbin/sshd) which can be installed via Entware (it's *not* built-in as part of the F/W).

View attachment 61858

View attachment 61859

However, if you have *not* explicitly installed the Entware package yourself, then someone or something else may have installed it, likely for nefarious purposes. I'd suggest you remove the OpenSSH package immediately. It may even be a "compromised" version of the OpenSSH server that has been installed by some malware.

Try the following commands to remove the package (if it exists):
Bash:
{
   opkg list-installed | grep openssh ; echo
   opkg remove --force-removal-of-dependent-packages openssh-server
   opkg list-installed | grep openssh ; echo
}

My 2 cents.
rolling back mine now - ran these ssh commands and nothing unusual running like the OpenSSH
I'm desperate to get this fixed as it's used all my monthly allowance
 
Last edited:
The same here for a week... with RT-AX86U (Merlin_3004_388.8_2) - a huge upload traffic and CPU load for 100%
top show on the top {sshd}
Downgrade to 3004_388.7_0 - looks stable
Rolling back mine now - same issue and used almost all my allowance! Was going nuts, going through all my services, even called my isp provider as I suspected their bridge router was bugged
 
rolling back mine now - ran these ssh commands and nothing unusual running like the OpenSSH
I'm desperate to get this fixed as it's used all my monthly allowance
Did you run the find command? The opkg commands only check for Entware packages which malware wouldn't be using.
 
Downgraded to 3004_388.7_0.
Let's see how it goes today. So far so good. Fingers crossed.
So has this bug been reported?
Have to keep an eye out on the next release notes
 
How can it be a bug when the sshd process doesn't exist in the firmware? The people reporting it haven't even attempted to analyse the cause of the problem.
Sorry but I've spent a week trying to trace what was going on. Lost 75% of my month's internet allowance in a few days.
I'll stay on 3004_388.7_0 until I know more and see other people's findings.
Thought someone was hacking into my cameras or plex media , all ideas came up.
I had no choice as I work from home as a contractor and could not afford to lose any more allowance. CPU usage much lower and no upload spikes now - touch wood
 
I don't know if I've written this here already but - RT-AX88U with the latest Merlin 388.8_2 plus a whole plethora of addons installed, and no sshd on it, anywhere.
This is the way this router is, so we can assume sshd has either been manually installed, added by a script, or added by a hacker. If either of these happen it's either someone on the local network, something on the internal network is infected, or you're leaving the door wide opening by allowing Internet access to the router/network.
 
Lost 75% of my month's internet allowance in a few days.

Any chance to check the actual usage with the ISP? In your user account perhaps? Don't trust everything you see in the GUI. Some older models have a bug in Traffic Monitor showing inbound traffic spikes in TB for few seconds... when connected to the fastest ISP in the Galaxy, I guess.
 
Any chance to check the actual usage with the ISP? In your user account perhaps? Don't trust everything you see in the GUI. Some older models have a bug in Traffic Monitor showing inbound traffic spikes in TB for few seconds... when connected to the fastest ISP in the Galaxy, I guess.
Yes and this is exactly why I spoke with 2 of their tecnicians about the isp router and counter. They provide an app with the realtime usage in GB for your account.
I initially thought their measuring/traffic analyser was bad but they inisisted that nothing was wrong with it and asked me to change all my wifi passwords.
I know exactly who's on my wifi network. I have an automation to alert me of devices that connect and always check on the router anyway. There was no need to change wifi passwords. It was not even consistent with wifi usage traffic.

So it does seem at this point it was the latest merlin firmware somehow. We'll see over the next 24 hours.
 
It would have been helpful if you had run the following command before you downgraded so that we could have seen if it was malware.
of course I did it, but nothing..
Code:
user@RT-AX86U:/tmp/home/root# find / -name sshd
user@RT-AX86U:/tmp/home/root#
I also spend a sever days trying to find a solution before post here.. no ideas what's going on.
 
Yes and this is exactly why I spoke with 2 of their tecnicians

I believe something is wrong with the Traffic Monitor because @SmallKiwi reported uploading with Gigabit speeds on 30Mbps upload ISP line. This is impossible unless the hacker who hacked the router hacked the ISP upstream as well along with the modem DOCSIS connection. 🧐
 
of course I did it, but nothing..
Code:
user@RT-AX86U:/tmp/home/root# find / -name sshd
user@RT-AX86U:/tmp/home/root#
I also spend a sever days trying to find a solution before post here.. no ideas what's going on.
If it's malware and you rebooted the router (or the process ended) before running that command then you're unlikely to find anything.

People need to run the find / -name sshd command while they're seeing the problematic process in their top output. Also running netstat -nlp as well would be helpful.
 
People need to run the find / -name sshd command while they're seeing the problematic process in their top output.
exactly I run it at the same time
and now - time to time (with 3004.388.7_0) I have the similar strange situation but with httpds process..??
also I unplugged usb flash from router to exclude entware
1728927703803.png
 
Last edited:
exactly I run it at the same time
and now - time to time (with 3004.388.7_0) I have the similar strange situation but with httpds process..??
also I unplugged usb flash from router to exclude entware
View attachment 61934
I spoke too soon.

Big upload spike again!! Just the 1 hit though

Turned off ddns and instantguard , running top in putty to view processes. Just that 1 spike for now.

1728929206444.png
 
Last edited:
I spoke too soon.

Big upload spike again!! Just the 1 hit though

Turned off ddns and instantguard , running top in putty to view processes. Just that 1 spike for now.

View attachment 61935
If you switch to the Wired tab and then each of the Wireless tabs, do you see a matching increase in traffic on any of those tabs? If you don't then the traffic is originating from the router itself.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top