Trojan:EC2/DGADomainRequest alert (self-hosted Appsmith server)

Hi.

I have a self-hosted Appsmith server on AWS.
Some time ago, AWS GuardDuty sent me the alert:

AWS account has a severity 8 GuardDuty finding 
type Trojan:EC2/DGADomainRequest.B in the us-east-1 region.
Finding Description
EC2 instance i-XXXXXXXXX is querying algorithmically generated domains. 
Such domains are commonly used by malware and could be an indication 
of a compromised EC2 instance..

The suspicious domain name is uigfhidfhnsdnkv4.com.

The AWS documentation link

The EC2 instance is used for the Appsmith server only. Of course, some other apps were installed there, but nothing special: Docker to run the Appsmith, and maybe a couple of some utility apps…

The server details:

  • v1.7.10
  • installed using the Docker setup
  • Free signup is disabled
    • I found the description of vulnerabilities in case if the free signup is allowed: link1, link2
    • So it seems like these vulnerabilities are not my case.

The alert was only a short period of time (4 events in half an hour).

I reinstalled the server to a new instance from the stack folder backup.
More than a week has passed. No new alerts were detected.

I have several questions:

  • Can it be the Appsmith vulnerability?
  • Is restoring from the stack folder backup safe? Is there a chance that malware was also in the backup and I restored it on the new instance?
  • How can I improve security?

I will also be grateful for any tips.

Thanks.

Hey, @ivp, thank you for reaching out.

To answer your questions:

No, I don’t think so. The vulnerabilities linked to, are about an SSRF, and an account-takeover with an XSS. Neither of these involve, or need to make an external request as flagged by AWS.

Yes. The stacks folder contains all your Appsmith data, and data only. It doesn’t include any executables, or code/scripts that run. It doesn’t include any logic. Just data.

The first thing I’d recommend is, please keep your Appsmith up-to-date. The version 1.7.10 is very old, and we are at v1.9.4 today. I won’t ask you to turn auto-updates on, but at least look into manual updates at least once a week.

The outgoing request flagged by AWS, looks very much like an API action executed by configuring it in an Appsmith app. Can you check within your team if this was an intentional request? If yes, this would be a false alarm. If not, we can look into getting a list of users on your system to verify there’s nothing unexpected in that list. Let me know if you want to check this out.

Thank you.

Hi @sharat87

Thanks for the answers and recommendations.

The outgoing request flagged by AWS, looks very much like an API action executed by configuring it in an Appsmith app. Can you check within your team if this was an intentional request?

We didn’t configure such requests in an Appsmith app.
Except for me, only one developer is working with Appsmith, and we are reviewing PRs before the merging, so I would know this 100%.
Just for the case, I checked the source of the Appsmith app (we use the Git integration) we don’t have such a domain name in the code.

Understood. Thanks for confirming.

Then the only other scenario I can think of, is that someone exploited the SSRF vulnerability on you EC2 instance, and gained SSH access to the server. This would allow them to run any extra payload on the server, which might’ve executed that suspicious DNS request.

Also, do you have Instance Metadata v1 enabled on your EC2 instance? If okay, can you change it to v2-only? That SSRF vulnerability, although fixed, is only possible if you have Instance Metadata v1 enabled on your instance. Changing this to v2 can be another layer of defense for you, just in case.

Thanks for the ideas.