Why GuardDuty keeps alerting my instance "Trojan:EC2/DGADomainRequest.B"

Hi,

See https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dgadomainrequestb

Trojan:EC2/DGADomainRequest.B
An EC2 instance is querying algorithmically generated domains. Such domains 
are commonly used by malware and could be an indication of a compromised EC2 instance.


DGAs are used to periodically generate a large number of domain names that can 
be used as rendezvous points with their command and control (C&C) servers. 
Command and control servers are computers that issue commands to members 
of a botnet, which is a collection of internet-connected devices that are infected 
and controlled by a common type of malware. The large number of potential 
rendezvous points makes it difficult to effectively shut down botnets because infected 
computers attempt to contact some of these domain names every day to receive updates 
or commands.

So, it happens only on one of your EC2 instances because the affected one makes those dangerous DNS requests while the other doesn't. Knowing your exact context will probably make you understand why.

You should analyze what those DNS queries are to prevent your EC2 instance from interacting with those rendezvous points, if they are really such botnet rendezvous points.

Remediation is detailled is https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2

Hope it helps

Didier