Yeah this is gonna be a pain for you. :/
The child connection simply means an ssh connection occurred. Likely this is the antminers mAlware I have posted about before that masquerades as ntpd. It tries to take over any antminer and then points it at nicehash, as you have seen.
Changing passwords will help prevent the spread, but you now need to clean it up from every machine simultaneously... ie you should assume every one is compromised.
It sits in
/config as
.antminers, and included a
.key file. On startup it is coped over the original ntpd file and started up. It will attempt to spread and will replace the configuration at some point in time. I didnt bother figuring out the conditions in which it changes the config when I was reverse engineering it.
My most recent firmwares do include protection against this infection, but you still need to do the clean up.
If you are able to write some simple shell script, it is a matter of basically sending this (or something like it) to all of your miners at once:
if [ -f /config/.antminers ]; then rm /config/.antminers && killall ntpd && sync && reboot
After they reboot, change all the passwords.
Hope this helps.
EDIT: there is another malware that uses the API to add/replace your pools on the fly. It seems to run from an infected computer on the network... I have not been able to capture it in the wild, however, so I dont have a lot of extra information on it.
-j