Trojan:EC2/DGADomainRequest alert (self-hosted Appsmith server)

ivp · January 20, 2023, 4:40pm

Hi.

I have a self-hosted Appsmith server on AWS.
Some time ago, AWS GuardDuty sent me the alert:

AWS account has a severity 8 GuardDuty finding 
type Trojan:EC2/DGADomainRequest.B in the us-east-1 region.
Finding Description
EC2 instance i-XXXXXXXXX is querying algorithmically generated domains. 
Such domains are commonly used by malware and could be an indication 
of a compromised EC2 instance..

The suspicious domain name is uigfhidfhnsdnkv4.com.

The AWS documentation link

The EC2 instance is used for the Appsmith server only. Of course, some other apps were installed there, but nothing special: Docker to run the Appsmith, and maybe a couple of some utility apps…

The server details:

v1.7.10
installed using the Docker setup
Free signup is disabled
- I found the description of vulnerabilities in case if the free signup is allowed: link1, link2
- So it seems like these vulnerabilities are not my case.

The alert was only a short period of time (4 events in half an hour).

I reinstalled the server to a new instance from the stack folder backup.
More than a week has passed. No new alerts were detected.

I have several questions:

Can it be the Appsmith vulnerability?
Is restoring from the stack folder backup safe? Is there a chance that malware was also in the backup and I restored it on the new instance?
How can I improve security?

I will also be grateful for any tips.

Thanks.

sharat87 · January 24, 2023, 2:43am

Hey, @ivp, thank you for reaching out.

To answer your questions:

No, I don’t think so. The vulnerabilities linked to, are about an SSRF, and an account-takeover with an XSS. Neither of these involve, or need to make an external request as flagged by AWS.

Yes. The stacks folder contains all your Appsmith data, and data only. It doesn’t include any executables, or code/scripts that run. It doesn’t include any logic. Just data.

The first thing I’d recommend is, please keep your Appsmith up-to-date. The version 1.7.10 is very old, and we are at v1.9.4 today. I won’t ask you to turn auto-updates on, but at least look into manual updates at least once a week.

The outgoing request flagged by AWS, looks very much like an API action executed by configuring it in an Appsmith app. Can you check within your team if this was an intentional request? If yes, this would be a false alarm. If not, we can look into getting a list of users on your system to verify there’s nothing unexpected in that list. Let me know if you want to check this out.

Thank you.

ivp · January 24, 2023, 5:50pm

Hi @sharat87

Thanks for the answers and recommendations.

The outgoing request flagged by AWS, looks very much like an API action executed by configuring it in an Appsmith app. Can you check within your team if this was an intentional request?

We didn’t configure such requests in an Appsmith app.
Except for me, only one developer is working with Appsmith, and we are reviewing PRs before the merging, so I would know this 100%.
Just for the case, I checked the source of the Appsmith app (we use the Git integration) we don’t have such a domain name in the code.

sharat87 · January 25, 2023, 12:30am

Understood. Thanks for confirming.

Then the only other scenario I can think of, is that someone exploited the SSRF vulnerability on you EC2 instance, and gained SSH access to the server. This would allow them to run any extra payload on the server, which might’ve executed that suspicious DNS request.

Also, do you have Instance Metadata v1 enabled on your EC2 instance? If okay, can you change it to v2-only? That SSRF vulnerability, although fixed, is only possible if you have Instance Metadata v1 enabled on your instance. Changing this to v2 can be another layer of defense for you, just in case.

ivp · January 25, 2023, 5:24pm

Thanks for the ideas.

whitebpsd · January 31, 2023, 11:54pm

Hello,

Did you come to any conclusions about this?

We just started looking at our GuardDuty alerts and noticed the exact same alerts going to the exact same domain as you posted. Fairly recent within the last month or two I believe.

We installed SentinelOne on the affected endpoints and it didn’t find anything.

So I’m wondering if they were just false alerts.

Thanks.

sharat87 · February 1, 2023, 10:18am

@whitebpsd, thank you for reaching out.

If you are also running the old vulnerable version of Appsmith, I’d urge you to

Please update your Appsmith version.
Change Instance Metadata to v2-only, on the EC2 instance that’s running your Appsmith container.

Even if SentinelOne hasn’t found anything, you should consider migrating your Appsmith installation to a new EC2 instance, just in case.

whitebpsd · February 1, 2023, 9:29pm

Hi Sharat,

Thanks for the reply. We’re actually not running AppSmith at all or have anything to do with AppSmith.

OP’s post is pretty much the only Google result to include both "
Trojan:EC2/DGADomainRequest" and “uigfhidfhnsdnkv4.com” which matched our alert.

So that’s why I just was seeing if there was any update from that user.

ivp · February 2, 2023, 11:07am

We didn’t find the cause of this alert report.
GuardDurty performed a malware scan, showing that it is clean (does not mean there is something wrong, though, maybe it just did not find the virus).
But we didn’t investigate it deeply.

We migrated the Appsmith server to a new instance.
The alert has not been repeated until now.