0

My GuardDuty management console on Amazon shows that my server is infected with malware:

"EC2 instance i-7e1d4356 is querying algorithmically generated domains. Such domains are commonly used by malware and could be an indication of a compromised EC2 instance"

It is querying fkg2f0c33okxznr2nknk7jdhaozrz2ul.com

I checked the access log and found these entries "attempt of SQL injection"

79.174.12.136 - - [25/Mar/2019:15:30:45 +0000] "GET /company/registration.php?pid=211111111111111111111111111'%20UNION%20SELECT%20(select%20CONCAT(CHAR(91,88,93),count(*),CHAR(91,88,93))%20FROM%20psytest.transactions%20)%20--%20%20 HTTP/1.1" 200 5086 "-" "-"

79.174.12.136 - - [28/Mar/2019:11:02:27 +0000] "GET /company/registration.php?pid=211111111111111111111111111'%20UNION%20SELECT%20(select%20CONCAT(CHAR(91,88,93),count(*),CHAR(91,88,93))%20FROM%20psytest.mail_templates%20)%20--%20%20 HTTP/1.1" 200 58 "-" "-"

I blocked this IP 79.174.12.136 and for the last 4 hours, there has been no further attempt.

However, I want to be sure that there is no malware lying there... How to investigate and fix it?

Can anyone provide some guidance please?

(Note: My question is very specific to the kind of problem. The one marked as duplicate is a very general question. I have already gone through that and did not find solution to my problem in that.)

  • Unfortunately, we are not a malware removal forum. – schroeder Mar 28 '19 at 18:25
  • I know that, but don't you think that people concerned with security aspect should be aware bout it? Morever, it is my pressing need. – Vijai Pandey Mar 28 '19 at 18:35
  • Vijai - no, I'm afraid that would not make it any more on topic here. – Rory Alsop Mar 28 '19 at 18:39
  • You should reach out to the Amazon Security team for guidance/assistance. You should also try to work it out thru an incident response provider. If you're not sure what you should do now, at least get the situation resolved and seek some incident response training yourself to handle the situation better in the future. Best of luck with your issues man. Tough situation to be in. – Steve Kline Mar 28 '19 at 18:42
  • I did that Steve, thank you and thanks for understanding my situation. I posted the question with aim to get some knowledge or guidance on this specific issue as I could not find it anywhere else. I fixed the problem and learnt a lot in the last 5 hours. – Vijai Pandey Mar 28 '19 at 19:40
  • @VijaiPandey so, you had an infected instance and you are asking how to investigate and fix it. The duplicate covers what to do in general. We are not a malware removal forum, so posting any specifics about this particular infection does not make sense. – schroeder Mar 28 '19 at 19:57
  • and please do not cross-post on StackExchange: https://superuser.com/questions/1418718/how-to-investigate-and-remove-trojanec2-dgadomainrequest-b – schroeder Mar 28 '19 at 19:58
  • Got it.. thanks.. I posted the question here as on superuser.com someone suggested me to post it here as it is more relevant here. – Vijai Pandey Mar 29 '19 at 06:07

0 Answers0