Note
This program is obsolete. Replacement for netstat is ss. Replacement for netstat -r is ip route. Replacement for netstat -i is ip -s link. Replacement for netstat -g is ip maddr.
This would help auditing/investigating unexplained sockets, e.g. Purpose of RxRPC? - #2 by anon50890781 - SW help - Turris forum
albeit not an auditing tool but adding a protective layer by advancing the firewall’s WAN with ipset of revolving ip blacklists such as
DSHIELD|14400|0|http://www.dshield.org/block.txt
BOGON|86400|0|http://www.cymru.com/Documents/bogon-bn-agg.txt
HONEYPOT|14400|0|Dictionary Attacker IPs | By Last Bad Event | Project Honey Pot
CIARMY|14400|0|http://www.ciarmy.com/list/ci-badguys.txt
BFB|14400|0|http://danger.rulez.sk/projects/bruteforceblocker/blist.php
BDE|3600|0|https://api.blocklist.de/getlast.php?time=3600
BDEALL|14400|0|http://lists.blocklist.de/lists/all.txt
GREENSNOW|14400|0|https://blocklist.greensnow.co/greensnow.txt
TALOS|14400|0|http://talosintel.com/feeds/ip-filter.blf
Add to that some transparency of how TO is applying backported security patches to the kernel and userland applications and how TO is monitoring CVE for kernel, userland apps in general and OpenWRT in particular.
Since the FBI has seized the command and control domain it recommends a router reboot which would help them to assess which devices are infected. Hopefully there will be no TO/OpenWRT amongst it