Edit: I think it is normal for miners to make child connections, bcz i have seen it on normal working miners log but i dont know what is it for ? and here the problem is it can not authenticate.
Not normal, just temporary functioning so that it's not too obvious. You can go ahead and assume ALL miners have been compromised.
For sure any device with IP in this pattern:
Bad password attempt for 'root' from 192.168.2.15:57652
As soon as you flash the firmware and plug it into your network (to log in and change the password?), all other compromised miner immediately begins the hijack process, likely succeeds, and sit dormant before you even log in.
At some point later (soon or not) it changes and unchanges the pool settings at random interval so you won't notice.
A misc note regarding that address that the compromised devices will eventually route to:
https://bitcointalk.org/index.php?topic=5036968.msg50011282#msg50011282.
Multiple networks as suggested above to work with is probably a good way to approach it while you try to solve the issue.
If you are able to, flash them all within a network before powering any on.
If you flash them all before you power any of them on and still have the same issue eventually, then:
1) the firmware is a very probable source of the evilness or
2) and external pc/laptop or hardware has been compromised.
In which case you'll need to take your best guess to swap out the possible culprit and repeat.