Hacked by China?

So after years of using Wrt, it appears my router has been hacked by users from China maybe?
What made me start looking, is total loss of connection until reboot. Seem the router appears to be running out of memory, so I checked the logs and found the following, repeated over and over

Fri Oct 4 01:30:29 2019 daemon.warn dnsmasq[19995]: reducing DNS packet size for nameserver 2001:4860:4860::8844 to 1280
Fri Oct 4 01:30:31 2019 authpriv.info dropbear[11724]: Child connection from
Fri Oct 4 01:30:37 2019 authpriv.info dropbear[11724]: Exit before auth: Exited normally
Fri Oct 4 01:31:00 2019 daemon.info odhcpd[992]: Using a RA lifetime of 1800 seconds on br-lan
Fri Oct 4 01:31:05 2019 authpriv.info dropbear[13048]: Child connection from
Fri Oct 4 01:31:08 2019 daemon.info odhcpd[992]: Using a RA lifetime of 1800 seconds on br-lan
Fri Oct 4 01:31:14 2019 authpriv.info dropbear[13048]: Exit before auth: Exited normally

I though dropbear was not set to allow outside access by default, but was allowed. So I have since set dropbear to only be allowed from LAN, changed the root password, then reloaded 18.06.4 as a lark

After all this it still running through memory at a fast clip normally I have about 98MB available, now its about 23MB lower, how do I clean this mess up?

Never made it past. I have tons of these in my logs.
A few suggestions:

  1. Disable password authentication and use keys instead.
  2. Use banip or some other fail2ban solution to block such IPs in firewall.
  3. Use a VPN to connect to the router, then use SSH.

Which openwrt image are you using? I don't think SSH access from the Internet via the WAN interface has been allowed by default on the images I have tried.


OpenWrt 18.06.4 r7808-ef686b7292 / LuCI openwrt-18.06 branch (git-19.170.32094-4d6d8bc) for WNDR-4300

I think it defaults to unspecified, as I dont remember changing it

Since my original post, I have re-installed 18.06.4, told it not to keep setting, changed to a new password on reboot, restored a setting backup from 2 months ago. and set dropbear to listen on LAN only, but I assume something is still getting in, as memory is dropping again

What is the output of uci show firewall ?
Paste it here in preformatted text </>


IIRC, dropbear does indeed default to unspecified interface, but the default firewall will not allow incoming connections unless you explicitly create a new traffic rule for ssh inbound on the wan zone.

I would highly recommend reflashing your router again (not keeping settings) and then manually reinstating your configuration. Do not restore a config if you have any reason to question the security or stability/performance of the previous state. By performing the steps manually, it will help ensure you don’t restore an obscure/forgotten setting that may be a consideration in your current situation. And the process of manually configuring everything will help you consider/scrutinize each change to ensure it meets your goals.


I also meant to ask - do you have any non-default packages installed? If so, such packages could potentially be responsible for the performance (memory) issues you’re experiencing. And although unlikely on a fresh install, a security flaw and/or misconfiguration of a package could make your system vulnerable to attack and/or have other performance implications.

Restoring after a suspected security incident might restore the security flaw or malware, even from an "old" back up, as the point in time where the flaw appeared may have been long before it was discovered. Reconstructing the device's configuration is a safer practice.


looks like a brute attack on dropbear, that will never succeed, unless you got short and weak password


Yup, sure is:

To OP:

1 Like


I didnt think dropbear was available by default to the outside world, so yes I had a weak 8 character password, but the real question is why is OpenWrt DEFAULTING to placing dropbear on the outside ports?
Will there be any issue if I just uninstall dropbear?

Heres what I have tried to get back to normal, but memory is still dropping shortly after reboot, and slowly after that.

  1. Disconnected outside modem
  2. Reloaded 18.06.4, and not kept settings
  3. Ran reset defaults as soon as it finished booting
  4. Entered a random complex 15 character password
  5. Placed dropbear on "LAN" interface, changed the port #, disabled "Allow root logins by password"
  6. reconnected modem

Should any hack still remain? It seems the memory loss does not occur until its reconnected to the outside world

As for non-default packages, installed a few from the package list months ago, but nothing new in past 2 months
AdBlockPlus, it been installed for about 2-4 months with no issues
Open VPN months ago for testing

Did not reinstall anything this time until I figure out what eating memory

Is there a memory leak in one of the firewalls? So it still protected, just spinning up extra instances to handle the connections?

By default, dropbear isn't open to the world. Yes, it does listen on all interfaces, but the default firewall rules prevent access from the outside.


@hnyman @vgaetera @trendy.... does this model have a dual partition by chance?

Did you verify the file's SHA256 key?


You never described one. As long as your IPv4 address is available on the Public space, it can be reached. Check your firewall is on.


You can change to DROP if you're that worried...that's more so CPU though.

Of what???

You're almost going for the tin foil hat OP of 2019 wit this one...you're putting in resources...can we get paid for giving some advice too...?

("Closed mouths don't get fed.")


Well, as far as I know it not a dual partition, but some thing is forcing it to run out of memory, normally it keeps about 98MB available, and when it runs out of memory it wont allow connections either way, except for pings by IP address, and yes I verified the SHA256 matched, at least the first/last 4,

So lleachii, with no changes from me for about 2 months, something changed in the past week to force it to run thru 98MB or so of memory every 18-24 hrs, if not hacked anybody got any better suggestions?

Guess what I was trying to ask, is should that have wiped it clean no mater what?

With those problems, that seems like a wise course of action. Along with not installing or configuring anything but minimal basics, then adding slowly and methodically over days or weeks.


Internet Vulnerability Profiling

“Shields Up” (linked in the previous post) is a bad joke. Even for the little it does, its explanations and interpretations are poor, at best.


If I recall correctly, the chinese ip cameras opened this backdoor on port 32700 to the outside world. I then exiled them behind a firewall with no internet access.


Did you change openwrt default firewall config?
If no, maybe more/something else was already compromised.

Can you try:
sync; echo 1 > /proc/sys/vm/drop_caches (or 3 instead of 1)
in a terminal.
Does it free up ram?

The luci memory usage overview seems a bit confusing, at least for me.
htop always shows a higher reading for cached memory.
(Buffered = Cached? //edit its not)
Seems like, the luci memory overview page includes cached memory.