Code: Select all
tcp 1 0 192.168.0.116:46644 107.21.1.61:443 CLOSE_WAIT 15234/chfn
The IP address there resolves to DuckDuckGo's servers on Amazon AWS. So that itself should be innocuous. But a system binary making outbound connections, not so much.
Further note: I was running Metasploit attacks against the VM, including meterpreter sessions in Firefox via a deliberately installed XPI extension. Also I have the Virtualbox guest utils installed on the VM. Otherwise it's a vanilla Salix install. However, with Metasploit I did not do anything that deliberately changed the chfn binary. My guess is, it comes down to either
a) Metasploit doing something without my say-so, including escalation to root. (Maaaaaybe; seems unlikely as it's maintained by Rapid7 etc.)
b) Virtualbox doing something it shouldn't with the guest extensions. (Seems quite unlikely.)
c) Salix and/or Slackware being tampered with upstream in some way, or possibly a slackbuild being messed with. (I believe the only one I have installed is unhide. Have to check though.)
d) Being instapwned by an ad or something? Dunno.
e) Me being really stupid and missing something obvious...
Anyway, sorry to bring bad news here, assuming that's what it is. Hope you guys can enlighten me as to what this is about.