Why did I receive an Amazon GuardDuty finding type Trojan:EC2 alerts for my Amazon EC2 instance?

Last updated: 2020-09-18

Amazon GuardDuty detected finding type Trojan:EC2 alerts for my Amazon Elastic Compute Cloud (Amazon EC2) instance.

Resolution

When GuardDuty detects anomalous Amazon EC2 activity, GuardDuty responds with a Trojan alert. Check each reference in this list to find the reason for the alert. Then, follow the instructions for remediating a compromised EC2 instance.

Attempting to communicate with an IP address of a remote host that is a known black hole.
Attempting to communicate with an IP address of a remote host that is known to hold credentials and other stolen data captured by malware.
Querying a domain name that is being redirected to a black hole IP address.
Querying a domain name of a remote host that is a known source of drive-by download attacks.
Querying a domain name of a remote host that is known to hold credentials and other stolen data captured by malware.
Querying algorithmically generated domains.
Exfiltrating data through DNS queries.
Querying domains involved in phishing attacks.

For more information, see GuardDuty EC2 finding types and How Amazon GuardDuty uses its data sources.

Related information

Creating custom responses to GuardDuty findings with Amazon CloudWatch events

How to use Amazon GuardDuty and AWS Web Application Firewall to automatically block suspicious hosts

Security solutions in AWS Marketplace

GuardDuty finding format

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support