Category: Question and Answers
Updated

This solution is summarized from an archived support forum post. This information may have changed. If you notice an error, please let us know in Discord.

Trojan:EC2/DGADomainRequest alert (self-hosted Appsmith server)

Issue

I received an alert from AWS GuardDuty that my EC2 instance is querying algorithmically generated domains, which is commonly used by malware and could indicate a compromised instance. The suspicious domain name is uigfhidfhnsdnkv4.com. My instance is hosting a self-hosted Appsmith server on AWS, but I checked and there are no intentional requests to that domain in our code. We reinstalled the server to a new instance from the stack folder backup, but I'm not sure if this is safe and how to improve security going forward. GuardDuty hasn't detected any new alerts since the migration.

Resolution

The user had received an AWS GuardDuty alert indicating a Trojan was accessing an algorithmically generated domain from their Appsmith server. They had installed an older version of Appsmith and were concerned about the vulnerability of their system.

After investigating, it was determined that Appsmith was not the cause of the alert. The user reinstalled their Appsmith server to a new instance from a backup and took measures to improve their security, such as updating their Appsmith version, changing their Instance Metadata to v2-only, and migrating their server to a new instance.

In the end, the alert was not repeated and they were able to eliminate the potential threat to their server. The takeaway from this experience is to always keep your software up-to-date and to investigate any security alerts to prevent potential attacks on your system.