How to determine process which makes DNS Request?

I have a server on AWS, GuardDuty started send me notifications:

*** "type":"Backdoor:EC2/C&CActivity.B!DNS",
*** {"domain":"","protocol":"UDP","blocked":false}
*** is querying a domain name associated with a known Command & Control server. ***

I’ve checked the server with all possible security tools and nothing found.
With tcpdump -A I saw that my server send such kind of request about this domain.
I have turned on auditd. But nothing strange was found.

My question is, how to determine, which process exactly send this request?

Leave a Reply

Your email address will not be published. Required fields are marked *