What's new

RT-AX88U maxing out a core and regularly showing 60+ MB/s upload

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

As @ColinTaylor mentioned, you need to encrypt the file before uploading it to bypass malware checks.
One option to do this on your router:
Code:
openssl aes-256-cbc -a -salt -pbkdf2 -in /tmp/hklp -out /tmp/hklp.enc
It will ask you for a passphrase.

Then upload and share the link and passphrase to who you wish.
Code:
wget --quiet -O- --post-file='/tmp/hklp.enc' 'https://paste.c-net.org/'

To decrypt:
Code:
openssl aes-256-cbc -d -a -pbkdf2 -in filename.enc -out filename.new
It will ask for passphrase.

Source: https://stackoverflow.com/questions/16056135/how-to-use-openssl-to-encrypt-decrypt-files
 
Everything seems OK so far with factory reset and 3.0.0.4.388 24621 FW. Can't get Amazon Echos to connect, but that's another problem for another day!

That won't be OK
I've been having the same problem for a few weeks now on an ASUS RT AX86S.
After restarting for a few hours, the drive is always fine. Subsequently, an upload of 85-135 MBps will begin to appear, the speed from the provider is only 30 MBps. During that time, the CPU load will increase a lot. (HSSD process approx. 50%) followed by internet outages. the outage is for about 10 seconds, the whole thing repeats itself after about 5 minutes.
The traffic is generated by the router, no device on the network behind the router.
- I identified the error with FW 3004_388.8_2
- I downgraded to FW 3004_388.7_0 - the error persists
- I did a new installation of FW 3004_388.8_2 and restarted the configuration - the error persists.
- I uploaded the original ASUS FW 3.0.0.4:388_24243 and restarted the configuration - the problem persists.
 
Code:
iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -m multiport ! --dports 53,853 -j LOG --log-prefix "REVIEW: " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A OUTPUT -o eth0 -p udp -m state --state NEW -m multiport ! --dports 53,123 -j LOG --log-prefix "REVIEW: " --log-tcp-sequence --log-tcp-options --log-ip-options
Someone can test these rules to log each new connection originating from the router to the WAN (except DNS and NTP). If we see anything useful, we can try to tcpdump it later.
 
@dave14305 From the information gathered so far from various posts and conversations it appears this particular malware is a variant of an old trojan called gafgyt, also known as BASHLITE. Typically this is used as part of a botnet to perform DDoS attacks. That is likely the reason for the large bursts of data that don't originate from the LAN (because it's probably random junk).

So I guess the bigger question is how it (re-)infects the router. Is it from the internet side (e.g. AiCloud) or the LAN side (e.g. compromised IoT device). Currently my money's on AiCloud.
 
So I guess the bigger question is how it (re-)infects the router. Is it from the internet side (e.g. AiCloud) or the LAN side (e.g. compromised IoT device). Currently my money's on AiCloud.
Yes I can’t believe in 2024 anyone is still running an Asus-provided service on the router.

It’s sad if this is a variant of an old Trojan and neither AiProtection nor ASD have detected it. I wonder if anyone running Skynet has been infected.

Do you know much about the raw sockets? We need a victim to strace the damn thing.
 
It’s sad if this is a variant of an old Trojan and neither AiProtection nor ASD have detected it. I wonder if anyone running Skynet has been infected.
My guess is that this is a relatively new variant. I submitted it to VirusTotal this afternoon and only 4 of the AV vendors detected it. I've just looked again and now 11 of them detect it.

Do you know much about the raw sockets? We need a victim to strace the damn thing.
Not enough to make any sense of what it's doing internally.
 
It’s sad if this is a variant of an old Trojan and neither AiProtection nor ASD have detected it.

Indeed and it was flagged as malicious code by online service. 🧐

I have a single port modem only after ISP change, but if I DMZ an Asus router with firewall disabled will it help gathering usable data? I can monitor what is this thing doing on my firewall. If the generated traffic is not encrypted Suricata will most likely catch unusual activity right away.

Firewall disabled, AiCloud enabled, Access from WAN enabled... what else? I can also fry some fish on the barbeque outside to attract the beast. 🤭
 
Last edited:
Does any victim of the malware have logs under /tmp/lighttpd/? Maybe there are indicators of compromise being logged?
 
Last edited:
It's happening again on my RT-AX86U with merlin.
Had 5 days or so all fine. MY azure vpn for work started shutting down on me and then saw the traffic on my wan again!!

I have now just changed my password again, turned off ddns, openvpn also.

Any other suggestions?

Thinking of getting a new router/firewall today (microtik or tplink omada) as I work from home and need to fix this asap.

I have so many devices on my lan , smart devices, cctv, nas media, homeassistant etc etc
 
I have now just changed my password again, turned off ddns, openvpn also.

Any other suggestions?
Have you checked to see if "AiCloud 2.0" or "Web Access from WAN" are enabled?


I have so many devices on my lan , smart devices, cctv, nas media, homeassistant etc etc
These are also a common source of malware infections.
 
Have you checked to see if "AiCloud 2.0" or "Web Access from WAN" are enabled?



These are also a common source of malware infections.
AICloud and WAN web access disabled

Now what to do if any of my devices is infected?
Is there a program you can suggest to start running through the network?
 
Last edited:
Do you have SSH access to the router enabled? LAN only or LAN & WAN?

It would helpful if you could SSH into the router and post the output from these commands:
Code:
ls -altr /tmp/
ps T
SSH Only Lan.

removed some sensitive data from the output here

ls -altr /tmp/:
drwxr-xr-x 4 'username' root 80 Dec 31 1969 var
drwxr-xr-x 2 'username' root 40 Dec 31 1969 share
-rw-r--r-- 1 'username' root 0 Dec 31 1969 settings
drwxr-xr-x 3 'username' root 60 Dec 31 1969 notify
drwxr-xr-x 2 'username' root 40 Dec 31 1969 inadyn.cache
drwxr-xr-x 3 'username' root 60 Dec 31 1969 home
-rw-r--r-- 1 'username' root 9 Dec 31 1969 misc.json
drwxr-xr-x 3 'username' root 60 Dec 31 1969 confmtd
-rw-rw-rw- 1 'username' root 506 May 5 2018 wl1_hapd.conf
-rw-rw-rw- 1 'username' root 1264 May 5 2018 wl0_hapd.conf
drwxrwxrwx 2 'username' root 40 May 5 2018 netool
-r-sr-x--- 1 'username' root 0 May 5 2018 ebtables.lock
drwxrwxrwx 2 'username' root 100 May 5 2018 dm
-rw-rw-rw- 1 'username' root 0 May 5 2018 awsiot_log
drwxrwxrwx 3 'username' root 80 May 5 2018 avahi
drwxrwxrwx 2 'username' root 80 May 5 2018 asdfile
-rw-rw-rw- 1 'username' root 0 May 5 2018 asd.init
-rw-rw-rw- 1 'username' root 64 May 5 2018 lld2d.conf
lrwxrwxrwx 1 'username' root 8 May 5 2018 ipsec_updown -> /sbin/rc
drwxrwxrwx 2 'username' root 40 May 5 2018 asusfbsvcs
-rw-rw-rw- 1 'username' root 355 May 5 2018 run_lldpd.sh
-rw-rw-rw- 1 'username' root 0 May 5 2018 mastiff_log
-rw-rw-rw- 1 'username' root 5 May 5 2018 mastiff.pid
-rw-rw-rw- 1 'username' root 64 May 5 2018 lldpd_bind_ifnames
-rw-rw-rw- 1 'username' root 4286 May 5 2018 lighttpd.conf
drwxr-xr-x 2 'username' root 40 May 5 2018 cfg_mnt
lrwxrwxrwx 1 'username' root 8 May 5 2018 zcip -> /sbin/rc
lrwxrwxrwx 1 'username' root 8 May 5 2018 wpa_cli -> /sbin/rc
lrwxrwxrwx 1 'username' root 8 May 5 2018 udhcpc_wan -> /sbin/rc
lrwxrwxrwx 1 'username' root 8 May 5 2018 dhcp6c -> /sbin/rc
-rw-r--r-- 1 'username' root 56 May 5 2018 relist.json
-rw-rw-rw- 1 'username' root 92 May 5 2018 obvsie
-rw-rw-rw- 1 'username' root 1 May 5 2018 obstatus
-rw-rw-rw- 1 'username' root 92 May 5 2018 guest_vsie
drwxrwxrwx 2 'username' root 60 May 5 2018 asusdebuglog
-rw-r--r-- 1 'username' root 72 May 5 2018 *****.cap
-rw-r--r-- 1 'username' root 31 May 5 2018 ****.bi
-rw-rw-rw- 1 'username' root 411 May 5 2018 filter_ipv6.default
-rw-rw-rw- 1 'username' root 888 May 5 2018 filter.default
-rw-rw-rw- 1 'username' root 18 May 5 2018 rast_stc_idx1
-rw-rw-rw- 1 'username' root 18 May 5 2018 rast_stc_idx0
-rw-rw-rw- 1 'username' root 176 May 5 2018 chanspec_avbl.txt
-rw-r--r-- 1 'username' root 185 May 5 2018 aplist.json
-rw-r--r-- 1 'username' root 31 May 5 2018 *****.bi
-rw-r--r-- 1 'username' root 185 May 5 2018 ****.cap
drwxrwxrwx 5 'username' root 240 May 5 2018 lighttpd
-rw-r--r-- 1 'username' root 368 May 5 2018 *****.json
-rw-rw-rw- 1 'username' root 2445 May 5 2018 diag_port_status.json
-rw-rw-rw- 1 'username' root 10 May 5 2018 udhcpc0.expires
-rw-rw-rw- 1 'username' root 1094 May 5 2018 nat_rules__eth0
-rw-r--r-- 1 'username' root 43 May 5 2018 maclist.json
drwxrwxrwx 2 'username' root 600 May 5 2018 err_rules
-rw------- 1 'username' root 285 May 5 2018 wan0_ppp.env
drwxrwxrwx 3 'username' root 320 May 5 2018 ppp
drwxrwxrwx 20 'username' root 1776 Apr 26 16:29 ..
-rw-rw-rw- 1 'username' root 469 Jul 31 22:34 release_note0.txt
-rw-r--r-- 1 'username' root 43 Oct 21 09:31 resolv.dnsmasq
-rw-r--r-- 1 'username' root 51 Oct 21 09:31 resolv.conf
-rwxrwxrwx 1 'username' root 1204 Oct 21 09:31 ipsec_iptables_rules
-rw-rw-rw- 1 'username' root 0 Oct 21 09:31 aaews_log
-rw-rw-rw- 1 'username' root 5 Oct 21 09:31 aaews.pid
drwxrwxrwx 2 'username' root 180 Oct 21 09:31 nc
-rwx------ 1 'username' root 0 Oct 21 09:31 .bwdpi.rule.lck
-rwx------ 1 'username' root 0 Oct 21 09:31 .bwdpi.appdb.lck
-rw-rw-rw- 1 'username' root 262188 Oct 21 09:31 syslog.log-1
-rw-rw-rw- 1 'username' root 1438 Oct 21 09:31 redirect_rules
-rw------- 1 'username' root 1264 Oct 21 09:31 nat_rules_ppp0_eth0
lrwxrwxrwx 1 'username' root 24 Oct 21 09:31 nat_rules -> /tmp/nat_rules_ppp0_eth0
-rw-rw-rw- 1 'username' root 6305 Oct 21 09:31 filter_rules
-rw-rw-rw- 1 'username' root 19 Oct 21 09:32 hw_auth_clm
-rw------- 1 'username' root 205 Oct 21 09:33 sig_upgrade.log
-rw-rw-rw- 1 'username' root 65770 Oct 21 09:38 ce0.log.bak
-rw-r--r-- 1 'username' root 263 Oct 21 09:40 wchannel.json
-rw-r--r-- 1 'username' root 398 Oct 21 09:40 chanspec_private.json
-rw-r--r-- 1 'username' root 232 Oct 21 09:40 chanspec_avbl.json
-rw-r--r-- 1 'username' root 854 Oct 21 09:40 chanspec_all.json
drw------- 3 'username' root 480 Oct 21 10:06 bwdpi
drwxrwxrwx 3 'username' root 60 Oct 21 10:09 mnt
-rw-rw-rw- 1 'username' root 15758 Oct 21 10:29 ce0.log
-rw-rw-rw- 1 'username' root 200 Oct 21 10:30 webs_upgrade.log
drwxr-xr-x 12 'username' root 1760 Oct 21 10:48 etc
-rw-rw-rw- 1 'username' root 0 Oct 21 10:49 syscmd.log
-rw-rw-rw- 1 'username' root 3987 Oct 21 10:49 apscan_info.txt
-rw-r--r-- 1 'username' root 846 Oct 21 10:49 allwclientlist.json
-rw-rw-rw- 1 'username' root 8841 Oct 21 10:50 syslog.log
-rw-rw-rw- 1 'username' root 3510 Oct 21 10:51 usb.log
drw-rw-rw- 2 'username' root 280 Oct 21 10:51 .diag
-rw-rw-rw- 1 'username' root 3496 Oct 21 10:51 dev
drwxrwxrwx 24 'username' root 1940 Oct 21 10:51 .
-rw------- 1 'username' root 791 Oct 21 10:51 MON_CHECK_
-rw-r--r-- 1 'username' root 3144 Oct 21 10:52 clientlist.json
-rw-r--r-- 1 'username' root 59 Oct 21 10:52 ********.port
-rw-r--r-- 1 'username' root 1451 Oct 21 10:52 wiredclientlist.json
-rw-r--r-- 1 'username' root 721 Oct 21 10:52 current_wired_client_list.json
drwx------ 2 'username' root 60 Oct 21 10:52 db
-rw-rw-rw- 1 'username' root 0 Oct 21 10:52 watchdog_heartbeat
-rw-r--r-- 1 'username' root 45045 Oct 21 10:52 nmp_cache.js
 
ps T:
PID USER VSZ STAT COMMAND
1 'username' 14236 S /sbin/init
2 'username' 0 SW [kthreadd]
3 'username' 0 SW [ksoftirqd/0]
5 'username' 0 SW< [kworker/0:0H]
7 'username' 0 SW [rcu_preempt]
8 'username' 0 SW [rcu_sched]
9 'username' 0 SW [rcu_bh]
10 'username' 0 SW [migration/0]
11 'username' 0 SW [watchdog/0]
12 'username' 0 SW [watchdog/1]
13 'username' 0 SW [migration/1]
14 'username' 0 SW [ksoftirqd/1]
15 'username' 0 SW [kworker/1:0]
16 'username' 0 SW< [kworker/1:0H]
17 'username' 0 SW [watchdog/2]
18 'username' 0 SW [migration/2]
19 'username' 0 SW [ksoftirqd/2]
20 'username' 0 SW [kworker/2:0]
21 'username' 0 SW< [kworker/2:0H]
22 'username' 0 SW [watchdog/3]
23 'username' 0 SW [migration/3]
24 'username' 0 SW [ksoftirqd/3]
26 'username' 0 SW< [kworker/3:0H]
27 'username' 0 SW< [khelper]
28 'username' 0 SW [kdevtmpfs]
29 'username' 0 SW< [writeback]
31 'username' 0 SWN [ksmd]
32 'username' 0 SW< [crypto]
33 'username' 0 SW< [bioset]
34 'username' 0 SW< [kblockd]
35 'username' 0 SW [skb_free_task]
36 'username' 0 SWN [kswapd0]
37 'username' 0 SW [fsnotify_mark]
62 'username' 0 SW [btnhandler0]
63 'username' 0 SW [btnhandler1]
64 'username' 0 SW [btnhandler2]
65 'username' 0 SW [bpm_monitor]
66 'username' 0 SW< [linkwatch]
68 'username' 0 SW< [ipv6_addrconf]
69 'username' 0 SW< [deferwq]
70 'username' 0 SW [ubi_bgt0d]
152 'username' 0 SW [kworker/2:1]
161 'username' 0 SW [ubi_bgt1d]
170 'username' 0 SW [ubifs_bgt1_0]
251 'username' 0 SW [fc_evt]
252 'username' 0 SW [fc_timer]
253 'username' 0 SW [bcmFlwStatsTask]
258 'username' 0 SW [sw0HouseKeeping]
259 'username' 0 SW [bcmsw_rx]
260 'username' 0 SW [enet-kthrd]
270 'username' 0 SW [pdc_rx]
345 'username' 18532 S /bin/swmdk
346 'username' 18532 S /bin/swmdk
347 'username' 18532 S /bin/swmdk
350 'username' 1584 S {wdtctl} wdtd
354 'username' 1728 S hotplug2 --persistent --no-coldplug
357 'username' 2036 S /usr/sbin/envrams
453 'username' 0 SWN [jffs2_gcd_mtd9]
563 'username' 0 SW< [cfg80211]
685 'username' 0 SW [wl0-kthrd]
688 'username' 0 SW [wfd0-thrd]
694 'username' 0 DW [avs]
803 'username' 0 SW [dhd_watchdog_th]
804 'username' 0 SW [wfd1-thrd]
1336 'username' 0 SW [kworker/u8:4]
1396 'username' 0 SW [kworker/1:2]
1436 'username' 3424 S /sbin/syslogd -m 0 -S -O /tmp/syslog.log -s 256 -l 6
1438 'username' 3424 S /sbin/klogd -c 5
1491 'username' 13212 S /sbin/wanduck
1515 'username' 12008 S asd
1561 'username' 12008 S asd
1520 'username' 14036 S nt_monitor
1531 'username' 14036 S nt_monitor
1707 'username' 14036 S nt_monitor
1521 'username' 7216 S protect_srv
1530 'username' 7216 S protect_srv
1522 'username' 15260 S /sbin/netool
1527 'username' 15260 S /sbin/netool
1524 'username' 2392 S /usr/sbin/haveged -r 0 -w 1024 -d 32 -i 32
1533 'username' 13040 S nt_center
1536 'username' 13040 S nt_center
1537 'username' 3168 S /bin/eapd
1562 'username' 8156 S hostapd -B /tmp/wl0_hapd.conf
1565 'username' 8156 S hostapd -B /tmp/wl1_hapd.conf
1567 'username' 9532 S wps_pbcd
1568 'username' 13212 S wpsaide
1569 'username' 5208 S /usr/sbin/wlc_nt
1570 'username' 5236 S /usr/sbin/wlc_monitor
1572 'username' 10756 S /usr/sbin/awsiot
4604 'username' 10756 S /usr/sbin/awsiot
1576 'username' 3160 S /bin/ceventd
1588 'username' 5540 S /usr/sbin/wlceventd
1590 'username' 3136 S /usr/sbin/debug_monitor /data
1597 'username' 3536 S /usr/sbin/acsd2
1604 'username' 3424 S crond -l 9
1611 nobody 3204 S avahi-daemon: running [RT-AX86U-A708.local]
1623 'username' 11260 S httpds -s -i br0 -p 8443
1624 'username' 12516 S httpd -i br0
1626 'username' 5680 S vis-dcon
1628 'username' 5096 S vis-datacollector
1629 'username' 7320 S /usr/sbin/infosvr br0
1631 'username' 3780 S sysstate
1632 'username' 13212 S watchdog
1633 'username' 13212 S check_watchdog
1634 'username' 13212 S alt_watchdog
1651 'username' 13212 S sw_devled
1656 'username' 13212 S amas_lanctrl
1688 'username' 3496 S lld2d br0
1697 'username' 11952 S vis-dcon
1710 'username' 5252 S nt_actMail
1712 'username' 5252 S nt_actMail
1733 'username' 7164 S /usr/lib/ipsec/starter --daemon charon
1883 'username' 14964 S networkmap --bootwait
1897 'username' 17192 S /usr/sbin/lighttpd -f /tmp/lighttpd.conf -D
1898 'username' 12832 S /usr/sbin/lighttpd-monitor
1900 'username' 12344 S mastiff
1914 'username' 12344 S mastiff
1919 'username' 12344 S mastiff
1920 'username' 12344 S mastiff
1901 'username' 13212 S bwdpi_check
1902 'username' 13212 S hour_monitor
1903 'username' 13212 S pctime
1935 'username' 18348 S roamast
2099 'username' 18348 S roamast
2100 'username' 18348 S roamast
1937 'username' 19444 S conn_diag
1951 'username' 19444 S conn_diag
1952 'username' 19444 S conn_diag
1939 'username' 13212 S amas_ssd_cd
1953 'username' 3416 S lldpd -L /usr/sbin/lldpcli -I eth4,eth3,eth2,eth1,eth5,eth6,eth7,wl0.1,wl0.2,wds0.*.*,wds1
1957 nobody 3416 S lldpd -L /usr/sbin/lldpcli -I eth4,eth3,eth2,eth1,eth5,eth6,eth7,wl0.1,wl0.2,wds0.*.*,wds1
1960 'username' 18332 S amas_portstatus
1961 'username' 18332 S amas_portstatus
1962 'username' 18332 S amas_portstatus
1963 'username' 15780 S cfg_server
2068 'username' 15780 S cfg_server
2069 'username' 15780 S cfg_server
1984 'username' 22620 S amas_lib
1985 'username' 13212 S sched_daemon
1994 'username' 3532 S dropbear -p ********* -j -k
1997 'username' 5152 S fsmd
2000 'username' 5152 S fsmd
2049 'username' 35592 S /usr/lib/ipsec/charon --use-syslog
2052 'username' 35592 S /usr/lib/ipsec/charon --use-syslog
2053 'username' 35592 S /usr/lib/ipsec/charon --use-syslog
2054 'username' 35592 S /usr/lib/ipsec/charon --use-syslog
2055 'username' 35592 S /usr/lib/ipsec/charon --use-syslog
2056 'username' 35592 S /usr/lib/ipsec/charon --use-syslog
2057 'username' 35592 S /usr/lib/ipsec/charon --use-syslog
2058 'username' 35592 S /usr/lib/ipsec/charon --use-syslog
2059 'username' 35592 S /usr/lib/ipsec/charon --use-syslog
2238 'username' 13212 S usbled
2239 'username' 8064 S usbmuxd
2240 'username' 8064 S usbmuxd
2458 'username' 13632 S /usr/sbin/lighttpd-arpping -f br0
3538 'username' 3424 S /sbin/udhcpc -i eth0 -p /var/run/udhcpc0.pid -s /tmp/udhcpc_wan -A5 -O33 -O249
3541 'username' 2976 S /usr/sbin/pppd file /tmp/ppp/options.wan0
3566 'username' 3424 S /sbin/zcip -p /var/run/zcip0.pid eth0 /tmp/zcip
3884 'username' 1952 S /bin/mcpd
4175 'username' 3776 S /usr/sbin/ntp -t -S /sbin/ntpd_synced -p pool.ntp.org -p time.nist.gov
4188 'username' 13212 S disk_monitor
4550 'username' 19024 S aaews --sdk_log_dir=/tmp
4578 'username' 19024 S aaews --sdk_log_dir=/tmp
4579 'username' 19024 S aaews --sdk_log_dir=/tmp
4581 'username' 19024 S aaews --sdk_log_dir=/tmp
4582 'username' 19024 S aaews --sdk_log_dir=/tmp
4583 'username' 19024 S aaews --sdk_log_dir=/tmp
4584 'username' 19024 S aaews --sdk_log_dir=/tmp
4874 'username' 3452 S miniupnpd -f /etc/upnp/config -1
4915 'username' 18160 S < dcd -i 3600 -p 43200 -b -d /tmp/bwdpi/
4916 'username' 18160 S < dcd -i 3600 -p 43200 -b -d /tmp/bwdpi/
4917 'username' 18160 S < dcd -i 3600 -p 43200 -b -d /tmp/bwdpi/
4918 'username' 18160 S < dcd -i 3600 -p 43200 -b -d /tmp/bwdpi/
4919 'username' 18160 S < dcd -i 3600 -p 43200 -b -d /tmp/bwdpi/
11786 'username' 18160 S < dcd -i 3600 -p 43200 -b -d /tmp/bwdpi/
4924 'username' 17392 S wred -B
4925 'username' 17392 S wred -B
4940 'username' 17392 S wred -B
4941 'username' 17392 S wred -B
4942 'username' 17392 S wred -B
4943 'username' 17392 S wred -B
4944 'username' 17392 S wred -B
4945 'username' 17392 S wred -B
4946 'username' 17392 S wred -B
4947 'username' 17392 S wred -B
4968 'username' 13212 S bwdpi_wred_alive
5035 'username' 9868 S /usr/sbin/nmbd -D -s /etc/smb.conf
5037 'username' 9800 S /usr/sbin/nmbd -D -s /etc/smb.conf
5039 'username' 10148 S /usr/sbin/smbd -D -s /etc/smb.conf
5040 'username' 1876 S /usr/sbin/wsdd2 -d -w -i br0 -b sku:RT-AX86U,serial:***
12265 'username' 3660 R dropbear -p **** -j -k
12379 'username' 3424 S -sh
12523 'username' 0 SW< [cifsiod]
13615 'username' 0 SW [kworker/3:2]
16759 'username' 0 SW [kworker/3:0]
16763 'username' 0 SW [kworker/0:2]
18103 'username' 0 SW [kworker/u8:0]
18106 nobody 2648 S dnsmasq --log-async
18107 'username' 2648 S dnsmasq --log-async
18770 'username' 0 SW [kworker/0:1]
18910 'username' 0 SW [cifsd]
19631 'username' 0 SW [kworker/3:1]
19666 'username' 0 SW [kworker/0:0]
19994 'username' 0 SW [kworker/0:3]
20214 'username' 0 SW [kworker/u8:1]
20221 'username' 4532 S rstats --new
20898 'username' 3424 R ps T
 
I have an RT-AX86U bait running on latest stock available Asuswrt 388_24243 from May 2024. Let's see what happens.
 
@jd24 Your router doesn't appear to be infected at the moment. Have you rebooted the router since you last saw the problem?

Also, you do appear to have AiCloud enabled despite what you said earlier. Can you check again please?
Yes I have rebooted and strengthened my password.
Sorry when you said AICloud I thought you meant the Cloud Disk option and AICloud Sync
I have smart access enabled only.
Should I disable this?

I have switched all options off now

Many thanks

1729523881463.png
 
Last edited:
Here is what mine looks like:
View attachment 61947
I was out of town this past weekend and came back to see another spike below, even though nobody was home. I've checked everything mentioned here and see nothing that might be causing this. I don't know if this is actually happening or if it's a glitch in the Traffic Monitor, which I know has happened before.
1729524301535.png
 
I was out of town this past weekend and came back to see another spike below, even though nobody was home. I've checked everything mentioned here and see nothing that might be causing this. I don't know if this is actually happening or if it's a glitch in the Traffic Monitor, which I know has happened before.
View attachment 62068
My spikes today weren't a glitch. I check my isp app and it displays the amount of GB's used and see big jumps!!
Changed my password again, even stronger, rebooted and switched off ddns again.
Will rely on twingate for access (hoping this is still secure)
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top