Can also check if ssh in listening on the port used by this attacker: $ sudo nmap -sT -p 53282 {WAN_IP_OF_ROUTER} May not be able to do that command from inside your LAN. Depends on the router security settings.