CyberSecurity - Chinese NetCore Modems are hacked and being used as BOTS

The following messages repeatedly shown in our logs.

Jan 25 20:23:15 stserver sshd[1333]: Did not receive identification string from 113.73.9.186
Jan 25 20:23:15 stserver sshd[1332]: Did not receive identification string from 113.73.9.186
Jan 25 19:47:41 stserver sshd[1004]: Did not receive identification string from 58.143.4.46
Jan 25 19:47:41 stserver sshd[1003]: Did not receive identification string from 58.143.4.46
Jan 25 19:38:36 stserver sshd[840]: Did not receive identification string from 115.194.127.55
Jan 25 19:38:32 stserver sshd[838]: Did not receive identification string from 115.194.127.55
Jan 25 19:38:20 stserver sshd[836]: Did not receive identification string from 114.40.114.171
Jan 25 19:38:20 stserver sshd[835]: Did not receive identification string from 114.40.114.171
Jan 25 19:34:45 stserver sshd[783]: Did not receive identification string from 116.116.155.39
Jan 25 19:34:45 stserver sshd[782]: Did not receive identification string from 116.116.155.39
Jan 25 19:30:24 stserver sshd[721]: Did not receive identification string from 182.123.100.16
Jan 25 19:30:24 stserver sshd[720]: Did not receive identification string from 182.123.100.16

These IPs are traced back.
Port Status of IP 113.73.9.186 is as follows
PORT     STATE    SERVICE
53/tcp   open     domain
80/tcp   filtered http
445/tcp  filtered microsoft-ds
4444/tcp filtered krb524
8080/tcp filtered http-proxy
9000/tcp filtered cslistener
9500/tcp open     unknown

Almost same status for all the IPs.

Port 9500 is the only open port. Telnet service is listening in that port and accepts login without user name and password .

Running processes in the Modem are

  PID  Uid     VmSize Stat Command
    1 0           312 S   init      
    2 0               SW< [kthreadd]
    3 0               SW< [ksoftirqd/0]
    4 0               SW< [events/0]
    5 0               SW< [khelper]
    6 0               SW< [kblockd/0]
    7 0               SW  [pdflush]
    8 0               SW  [pdflush]
    9 0               SW< [kswapd0]
   10 0               SW< [aio/0]
   12 0               SW< [mtdblockd]
   56 0          1712 S   /bin/switch -d
  120 0           240 S   /bin/igdmptd -d
  122 0           192 S   init      
  132 0           260 S   /bin/eapd
  135 0           440 S   /bin/nas
  146 0           552 S   /sbin/dhcpd -cf /var/cfg/dhcpd.conf br0
  156 0           356 S   udhcpc -f -S -M -i vlan2
  323 0           352 S   sh -c  busybox telnetd -p 9500
  324 0           276 S   busybox telnetd -p 9500
  345 0           104 S   /tmp/eash 173.208.222.82 /tmp/
  402 0           628 S   /tmp/eash 173.208.222.82 /tmp/
 1913 0           316 S   miniupnpd -t 600 -i br0 -a 192.168.1.1
 2011 0           388 S   /bin/sh
 2020 0           352 S   /bin/boa -p web -f /var/boa.conf
 2021 0           516 S   dnsmasq -E -i br0 --pid-file=/var/tmp/dnsmasq.pid
 2027 0           296 R   ps -ef 

The process /tmp/eash is Enterprise Admin Shell, which logs the shell commands to the  remote server at IP 173.208.222.82. which belongs to wholesalenetwork.net located in Kansas City in US.