I had posted the screenshot of the problem in this post but the image got deleted while editing the post. Maybe a mod can retrieve the image from there. Post #36 of this thread.
Thanks for the extra info. The tell-tale signs for this hack are logging in on the first attempt without failure and then starting up another dropbear instance in background before logging out. This is usually followed within a couple of minutes by another login from a different IP address.
Dec 30 08:51:28 dropbear[30095]: Child connection from 46.20.215.170:52354
Dec 30 08:51:33 dropbear[30095]: Password auth succeeded for 'admin' from 46.20.215.170:52354
Dec 30 08:52:15 dropbear[30267]: Running in background"Password auth succeeded for 'admin' from 46.20.215.170:52354"
He's probably some poor sap that got infected as well and now his router is part of the bot net infecting other people.
where i live they use SOAP and that is insecure as **** the whole zyxel botnet (mirai) that something i was exposed to until recently kinda plugged that whole but its still scary cause there are far more things i have no clue about in their software. watching it now and enjoying myself 
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!
