What are the strange processes on the router?

D

DVoropaev2019-09-16 15:51:40

linux

DVoropaev, 2019-09-16 15:51:40

I went to the router via ssh, among the processes I saw processes with a strange name:
{jiplqebe560rqed} g4ovl2ovimnvbskpel1lwl8p

PID USER       VSZ STAT COMMAND
...
 2147 admin     1392 S    /usr/sbin/dropbear -4
 2148 admin     1556 R    ps
16331 admin     1432 S    /usr/sbin/dropbear -4
23085 admin      356 S    {jiplqebe560rqed} g4ovl2ovimnvbskpel1lwl8p
23087 admin      332 S    {jiplqebe560rqed} g4ovl2ovimnvbskpel1lwl8p
26248 admin     3592 S    {jiplqebe560rqed} g4ovl2ovimnvbskpel1lwl8p
27037 admin      476 S    {jiplqebe560rqed} g4ovl2ovimnvbskpel1lwl8p
27330 admin     1396 S    /usr/sbin/dropbear -4
27490 admin     1392 S    /usr/sbin/dropbear -4
27586 admin     1432 S    /usr/sbin/dropbear -4
28274 admin     1392 S    /usr/sbin/dropbear -4
28379 admin      472 S    {jiplqebe560rqed} g4ovl2ovimnvbskpel1lwl8p
28382 admin      500 S    {jiplqebe560rqed} g4ovl2ovimnvbskpel1lwl8p
28476 admin     1432 S    /usr/sbin/dropbear -4
28543 admin     1432 S    /usr/sbin/dropbear -4
29408 admin        0 SW   [kworker/0:0]
30302 admin     1392 S    /usr/sbin/dropbear -4
30761 admin     1440 S    /usr/sbin/dropbear -4
...

the router is running BusyBox v1.24.2 (2016-09-25 23:47:16 CST) built-in shell (ash)

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

R

Radjah, 2019-09-16
@Radjah

dropbear is such a tiny ssh server for systems with limited resources. Very similar to password brute force. Try in the settings to outweigh ssh from the WAN side to another port.
I hope that you have access from outside only by key, and not by login and password.
My Chinese quite often try to hack SSH.

V

ValdikSS, 2019-10-23
@ValdikSS

It's a virus, most likely.