Is the LEDE codebase affected by the so-called "VPN Filter" exploits described by this article? https://www.thedailybeast.com/exclusive-fbi-seizes-control-of-russian-botnet
See CERT Advisory: VPNFilter Destructive Malware for current status.
(Right now, the answer is "unknown" for current releases and "quite possible" for older releases, but not enough technical details to know for either.)
I'm not sure about the codebase; but none of the currently-known ports used as initial "scout vectors" are opened on WAN by default.
Just read that article, too! Scary stuff! I guess if we're not sure, just reboot!
If you're not sure:
- Save the config
- Flash a known-good copy of the firmware from the downloads site
- DO NOT AUTO RESTORE configs
- Manually restore configs by visually comparing the text files in the TAR
This malware's Phase 1 is persistent and has been observed to survive a reboot.
The part about the configs is a bit paranoid. The /etc/config folder should have absolutely nothing to do with the infection.
Unless the executable binary is added to /etc/config.