1
My GuardDuty management console on Amazon shows that my server is infected with malware:
"EC2 instance i-7e1d4356 is querying algorithmically generated domains. Such domains are commonly used by malware and could be an indication of a compromised EC2 instance"
It is querying fkg2f0c33okxznr2nknk7jdhaozrz2ul.com
I checked the access log and found these entries "attempt of SQL injection"
79.174.12.136 - - [25/Mar/2019:15:30:45 +0000] "GET /company/registration.php?pid=211111111111111111111111111'%20UNION%20SELECT%20(select%20CONCAT(CHAR(91,88,93),count(*),CHAR(91,88,93))%20FROM%20psytest.transactions%20)%20--%20%20 HTTP/1.1" 200 5086 "-" "-"
79.174.12.136 - - [28/Mar/2019:11:02:27 +0000] "GET /company/registration.php?pid=211111111111111111111111111'%20UNION%20SELECT%20(select%20CONCAT(CHAR(91,88,93),count(*),CHAR(91,88,93))%20FROM%20psytest.mail_templates%20)%20--%20%20 HTTP/1.1" 200 58 "-" "-"
I blocked this IP 79.174.12.136 and for the last 4 hours, there has been no further attempt.
However, I want to be sure that there is no malware lying there... How to investigate and fix it?
Can anyone provide some guidance please?
You need to fix the vulnerability in
/company/registration.php
that allowed the breach. It's just going to happen again. – HackSlash – 2019-03-28T17:01:29.757Here are some tools that can help find vulnerabilities in PHP files: https://geekflare.com/php-security-scanner/
– HackSlash – 2019-03-28T17:02:19.677You should try posting this question over here: https://security.stackexchange.com/
– HackSlash – 2019-03-28T17:03:03.770The vulnerability is fixed... in fact, I deleted everything in the file (it was not an important file anyway) and now it is not processing anything. – Vijai Pandey – 2019-03-28T18:16:03.023
But still , my server get choked of requests and it stops responding... – Vijai Pandey – 2019-03-28T18:16:32.020
The vulnerability may have been fixed, but it seems very odd for this request to return
– Michael - sqlbot – 2019-03-28T21:38:13.943200 OK
if that is true. From the Guard Duty report, it sounds like your server has been compromised... and a compromised server cannot be fixed. You don't "remove" malware and keep the server. https://serverfault.com/q/218005/153161Thank you Michael, going by the advice of experienced and learned professionals like you. I have terminated the server and started a new one. Currently in process of checking if all my custom files and configurations are in place. – Vijai Pandey – 2019-03-29T06:05:28.497