100% cpu utilization and high temps on NanoPi R4S

I have a 80down/5up internet and I got NanoPi R4S to improve latency for gaming through SQM. It is running friendlyWRT 5.15

It was working fine for a few months.

Recently I got a lot of outage from my ISP and it looks like the DNS from ISP (Comcast) is not working so I change my DNS to cloudflare (1.1.1.1).

It work for a few days then when I try to connect the router, I get Error 502 Bad Gateway.
I then do a google search and it looks like something might have broken lucid?

I found a post saying the broken lucid could be about dependency being broken so I run the command at putty and it seemed to have worked as I can now connect again.

I am not very familiar with this thing, but these past few days I noticed the CPU is constantly at 100% and the temps is reading 65-70c

I install htop and connect to putty and confirmed all the cores are maxed.

How do I know which thing is hogging the CPU? I do not have any fancy thing (no firewall, no VPN, no docker, no fancy routing). All I did was set enable CAKE SQM and change the DNS to cloudflare.

Why aren't you contacting "friendlyWRT" then?

The hardware should cope with that throughput (with sqm/cake) while still being sound asleep, even if misconfigured (regardless of core affinity or IRQ assignment), so there's clearly something wrong with your firmware - and your htop output with those weird ssh.arm6/ ssh.arm7 processes (which shouldn't be there on plain OpenWrt) confirms that. At this point you either need to test plain OpenWrt or talk to "friendlyWRT", we can't help you with their firmware (and it looks very much to be specific to their changes).

2 Likes

Looks like your router is compromised by something nasty.

2 Likes

Indeed, those ssh.arm6/ ssh.arm7 processes look a lot like the malicious payload of some malware trying to cover all possible bases (target architectures) to connect back to their mother ship. At least there's no reason why a benign firmware would ship different ssh clients in their firmware releases, as there are no generic images, the exact CPU capabilities of the target device are known beforehand.

EDIT: Mirai and its descendants come to mind.

4 Likes

Why do you call a firewall on a internet router a fancy thing?
To get a botnet on a router without a firewall isn’t a question. It is a matter of time, probably minutes from the actual internet connection is established.

2 Likes

I registered on their forum and created a thread, but no one is replying to it.

I am a complete noob and wondering how do I tell which specific thing is hogging all the CPU resources.

I am considering installing the official OpenWRT, but apparently, it is a command line and it needs to be customised and configured to have a GUI and stuff. I am a noob and can barely navigate through command line and I am looking for guides on how to do it.

I download the image from the official website.

After a few weeks, I receive a message when I tried to open google and it says my modem/isp with my IP address saying it was used for Meris DDoS botnet.

Could it be the FriendlyWRT image is compromised?

I am not an expert on this thing.

Before I got the NanoPi I am using a Netgear router which worked fine without any issues.

I got the NanoPi because I get lag when I play online games while other people are using the WiFi. The NanoPi has been successful at reducing lag (the lag is now barely noticeable or non-existent when playing games)

I never had to configure any firewall before and never had any issues.

can't you just reinstall your firmware using an official image from their website ?

I am using the official image from their website specifically the FriendlyWRT 5.15 which is the latest.

ok, but you should reinstall it, and change the password. And then see if these weird ssh.armx scripts are still runing.

Guess the real router Netgear did have a firewall and hardware made to do routing. NanoPi or Raspberry Pi isn’t network equipment to begin with. They are only multi porpoise computers.

If it is a bot takeover then you can disconnect from wan and remove power for 30seconds. Reboot and change password, turn on firewall if it is turned off, check firewall settings. Reboot. And connect wan.

You could upgrade firmware if it isn’t really old. That is up to you.

But malware lives in ram memory, it can’t install it self in flash. So a reboot will flush it. The problem is that the world now knows you exist so they will try to come back.

Well it can actually live in flash but that requires access to source code before actual build of firmware.

Based on your description, your r4s has certainly be taken over by some botnet. You really need to disconnect it from the network immediately and write a clean firmware image to its flash, don't reconnect it before having done this and setting good (new, unique) passwords - and not disabling the firewall (again).

I changed the password and restarted it. It looks like the CPU usage back to normal (less than 2%)

I did not touch or disable the firewall setting.

I am very unfamiliar with it, what firewall setting do I need to set?

Oh hell no.

How do I prevent them from coming back?

I already rebooted and change password and CPU utilization looks like is back to normal (less than 2% load)

Solid firewall, good password and firmware without known security weakness.

And common internet sense but router malware is most often worm like so they roam the internet and searches IP addresses for known weaknesses. And where they find it they automatically exploit it.
“It isn’t personal it is just business”.

The problem for the owner is when their IP address get logged to many times in the big global DDoS attacks and some government cert agency sends a mail.

If you have a real internet connection without ISP filtration and you turn on logging of WAN drops you will get the sense of the magnitude of shit that is probing the internet for weaknesses in routers and firewalls.

from my point of view this is not enough. it could be a hidden zombie process waiting for 1 day, 1 week, 1 month to restart again.
i would be you i would reinstall everything, and use an uncommon password.