Why did I receive an Amazon GuardDuty finding type Trojan:EC2 alerts for my Amazon EC2 instance?
Last updated: 2020-09-18
Amazon GuardDuty detected finding type Trojan:EC2 alerts for my Amazon Elastic Compute Cloud (Amazon EC2) instance.
Resolution
When GuardDuty detects anomalous Amazon EC2 activity, GuardDuty responds with a Trojan alert. Check each reference in this list to find the reason for the alert. Then, follow the instructions for remediating a compromised EC2 instance.
- Attempting to communicate with an IP address of a remote host that is a known black hole.
- Attempting to communicate with an IP address of a remote host that is known to hold credentials and other stolen data captured by malware.
- Querying a domain name that is being redirected to a black hole IP address.
- Querying a domain name of a remote host that is a known source of drive-by download attacks.
- Querying a domain name of a remote host that is known to hold credentials and other stolen data captured by malware.
- Querying algorithmically generated domains.
- Exfiltrating data through DNS queries.
- Querying domains involved in phishing attacks.
For more information, see GuardDuty EC2 finding types and How Amazon GuardDuty uses its data sources.
Related information
Did this article help?
Do you need billing or technical support?