RT-AX88U maxing out a core and regularly showing 60+ MB/s upload

[ColinTaylor]

The same here for a week... with RT-AX86U (Merlin_3004_388.8_2) - a huge upload traffic and CPU load for 100%
top show on the top {sshd}
Downgrade to 3004_388.7_0 - looks stable

It would have been helpful if you had run the following command before you downgraded so that we could have seen if it was malware.

find / -name sshd

 

[jd24]

OMG, glad I found this discussion, last 8 days this has been driving me nuts and making me anxious going through all my services

Let me try find / -name sshd first then downgrade if needed.

 

[jd24]

If you have the "sshd" process running, under normal circumstances that would be the OpenSSH server daemon (i.e. /opt/sbin/sshd) which can be installed via Entware (it's *not* built-in as part of the F/W).

View attachment 61858

View attachment 61859

However, if you have *not* explicitly installed the Entware package yourself, then someone or something else may have installed it, likely for nefarious purposes. I'd suggest you remove the OpenSSH package immediately. It may even be a "compromised" version of the OpenSSH server that has been installed by some malware.

Try the following commands to remove the package (if it exists):

{
   opkg list-installed | grep openssh ; echo
   opkg remove --force-removal-of-dependent-packages openssh-server
   opkg list-installed | grep openssh ; echo
}

My 2 cents.

rolling back mine now - ran these ssh commands and nothing unusual running like the OpenSSH
I'm desperate to get this fixed as it's used all my monthly allowance

 

[Ripshod]

SSHD

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

 

[jd24]

The same here for a week... with RT-AX86U (Merlin_3004_388.8_2) - a huge upload traffic and CPU load for 100%
top show on the top {sshd}
Downgrade to 3004_388.7_0 - looks stable

Rolling back mine now - same issue and used almost all my allowance! Was going nuts, going through all my services, even called my isp provider as I suspected their bridge router was bugged

 

[ColinTaylor]

SSHD

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

Fixed that incorrect title.

 

[ColinTaylor]

rolling back mine now - ran these ssh commands and nothing unusual running like the OpenSSH
I'm desperate to get this fixed as it's used all my monthly allowance

Did you run the find command? The opkg commands only check for Entware packages which malware wouldn't be using.

 

[jd24]

Downgraded to 3004_388.7_0.
Let's see how it goes today. So far so good. Fingers crossed.
So has this bug been reported?
Have to keep an eye out on the next release notes

 

[ColinTaylor]

So has this bug been reported?

How can it be a bug when the sshd process doesn't exist in the firmware? The people reporting it haven't even attempted to analyse the cause of the problem.

 

[jd24]

How can it be a bug when the sshd process doesn't exist in the firmware? The people reporting it haven't even attempted to analyse the cause of the problem.

Sorry but I've spent a week trying to trace what was going on. Lost 75% of my month's internet allowance in a few days.
I'll stay on 3004_388.7_0 until I know more and see other people's findings.
Thought someone was hacking into my cameras or plex media , all ideas came up.
I had no choice as I work from home as a contractor and could not afford to lose any more allowance. CPU usage much lower and no upload spikes now - touch wood

 

[Ripshod]

I don't know if I've written this here already but - RT-AX88U with the latest Merlin 388.8_2 plus a whole plethora of addons installed, and no sshd on it, anywhere.
This is the way this router is, so we can assume sshd has either been manually installed, added by a script, or added by a hacker. If either of these happen it's either someone on the local network, something on the internal network is infected, or you're leaving the door wide opening by allowing Internet access to the router/network.

 

[Tech9]

Lost 75% of my month's internet allowance in a few days.

Any chance to check the actual usage with the ISP? In your user account perhaps? Don't trust everything you see in the GUI. Some older models have a bug in Traffic Monitor showing inbound traffic spikes in TB for few seconds... when connected to the fastest ISP in the Galaxy, I guess.

 

[jd24]

Any chance to check the actual usage with the ISP? In your user account perhaps? Don't trust everything you see in the GUI. Some older models have a bug in Traffic Monitor showing inbound traffic spikes in TB for few seconds... when connected to the fastest ISP in the Galaxy, I guess.

Yes and this is exactly why I spoke with 2 of their tecnicians about the isp router and counter. They provide an app with the realtime usage in GB for your account.
I initially thought their measuring/traffic analyser was bad but they inisisted that nothing was wrong with it and asked me to change all my wifi passwords.
I know exactly who's on my wifi network. I have an automation to alert me of devices that connect and always check on the router anyway. There was no need to change wifi passwords. It was not even consistent with wifi usage traffic.

So it does seem at this point it was the latest merlin firmware somehow. We'll see over the next 24 hours.

 

[kknishev]

It would have been helpful if you had run the following command before you downgraded so that we could have seen if it was malware.

of course I did it, but nothing..

user@RT-AX86U:/tmp/home/root# find / -name sshd
user@RT-AX86U:/tmp/home/root#

I also spend a sever days trying to find a solution before post here.. no ideas what's going on.

 

[Tech9]

Yes and this is exactly why I spoke with 2 of their tecnicians

I believe something is wrong with the Traffic Monitor because @SmallKiwi reported uploading with Gigabit speeds on 30Mbps upload ISP line. This is impossible unless the hacker who hacked the router hacked the ISP upstream as well along with the modem DOCSIS connection.

 

[ColinTaylor]

of course I did it, but nothing..

user@RT-AX86U:/tmp/home/root# find / -name sshd
user@RT-AX86U:/tmp/home/root#

I also spend a sever days trying to find a solution before post here.. no ideas what's going on.

If it's malware and you rebooted the router (or the process ended) before running that command then you're unlikely to find anything.

People need to run the find / -name sshd command while they're seeing the problematic process in their top output. Also running netstat -nlp as well would be helpful.

 

[kknishev]

People need to run the find / -name sshd command while they're seeing the problematic process in their top output.

exactly I run it at the same time
and now - time to time (with 3004.388.7_0) I have the similar strange situation but with httpds process..??
also I unplugged usb flash from router to exclude entware

 

[ColinTaylor]

and now - time to time (with 3004.388.7_0) I have the similar strange situation but with httpds process..??

httpds consuming lots of CPU is a known problem (and not a sign of malware). So it wouldn't cause an increase in WAN traffic.

 

[jd24]

exactly I run it at the same time
and now - time to time (with 3004.388.7_0) I have the similar strange situation but with httpds process..??
also I unplugged usb flash from router to exclude entware
View attachment 61934

I spoke too soon.

Big upload spike again!! Just the 1 hit though

Turned off ddns and instantguard , running top in putty to view processes. Just that 1 spike for now.

 

[ColinTaylor]

I spoke too soon.

Big upload spike again!! Just the 1 hit though

Turned off ddns and instantguard , running top in putty to view processes. Just that 1 spike for now.

View attachment 61935

If you switch to the Wired tab and then each of the Wireless tabs, do you see a matching increase in traffic on any of those tabs? If you don't then the traffic is originating from the router itself.