I maintain an Archer C7 with Chaos Calmer (15.05.1, r48532) for a family member. I am located in Europe. I logged remotely into the gateway via ssh using a keypair. Typing netstat, I saw my own connection, but next to it was an ssh connection from Australia. There was a dropbear instance for it. But logread gave me no info about that PID or IP. So whatever there is or was, it was not a recent thing.
There were no other suspicious processes running. The connection just lingered on and on.
I tried to kill the associated dropbear instance, but it refused to die. Doing a kill -9 finally did it, and the state of the connection in netstat went from ESTABLISHED to FIN_WAIT1.
I tried two concurrent logins using my keypair. The associated dropbear is normally killable without the -9 from within the session and from the other session's shell. So there was something special in that dropbear instance.
I am going to update the affected gateway to the newest LEDE release soon. But I'd wish to know if there are any explanations for this.