Is the LEDE codebase affected by the so-called "VPN Filter" exploits described by this article? https://www.thedailybeast.com/exclusive-fbi-seizes-control-of-russian-botnet
See CERT Advisory: VPNFilter Destructive Malware for current status.
(Right now, the answer is "unknown" for current releases and "quite possible" for older releases, but not enough technical details to know for either.)
1 Like
I'm not sure about the codebase; but none of the currently-known ports used as initial "scout vectors" are opened on WAN by default.
1 Like
Just read that article, too! Scary stuff! I guess if we're not sure, just reboot!
If you're not sure:
- Save the config
- Flash a known-good copy of the firmware from the downloads site
- DO NOT AUTO RESTORE configs
- Manually restore configs by visually comparing the text files in the TAR
This malware's Phase 1 is persistent and has been observed to survive a reboot.
1 Like
The part about the configs is a bit paranoid. The /etc/config folder should have absolutely nothing to do with the infection.
Unless the executable binary is added to /etc/config.