My GuardDuty management console on Amazon shows that my server is infected with malware:
"EC2 instance i-7e1d4356 is querying algorithmically generated domains. Such domains are commonly used by malware and could be an indication of a compromised EC2 instance"
It is querying fkg2f0c33okxznr2nknk7jdhaozrz2ul.com
I checked the access log and found these entries "attempt of SQL injection"
79.174.12.136 - - [25/Mar/2019:15:30:45 +0000] "GET /company/registration.php?pid=211111111111111111111111111'%20UNION%20SELECT%20(select%20CONCAT(CHAR(91,88,93),count(*),CHAR(91,88,93))%20FROM%20psytest.transactions%20)%20--%20%20 HTTP/1.1" 200 5086 "-" "-"
79.174.12.136 - - [28/Mar/2019:11:02:27 +0000] "GET /company/registration.php?pid=211111111111111111111111111'%20UNION%20SELECT%20(select%20CONCAT(CHAR(91,88,93),count(*),CHAR(91,88,93))%20FROM%20psytest.mail_templates%20)%20--%20%20 HTTP/1.1" 200 58 "-" "-"
I blocked this IP 79.174.12.136 and for the last 4 hours, there has been no further attempt.
However, I want to be sure that there is no malware lying there... How to investigate and fix it?
Can anyone provide some guidance please?
(Note: My question is very specific to the kind of problem. The one marked as duplicate is a very general question. I have already gone through that and did not find solution to my problem in that.)