Biz & IT —

Former Hostgator employee arrested, charged with rooting 2,700 servers

Prosecutors: Backdoor and digital key gave him near unfettered access.

Former Hostgator employee arrested, charged with rooting 2,700 servers
Aurich Lawson

A former employee of Hostgator has been arrested and charged with installing a backdoor that gave him almost unfettered control over more than 2,700 servers belonging to the widely used Web hosting provider.

Eric Gunnar Gisse, 29, of San Antonio, Texas, was charged with felony breach of computer security by the district attorney's office of Harris County in Texas, according to court documents. He worked as a medium-level administrator from September 2011 until he was terminated on February 15, 2012, according to prosecutors and a company executive. A day after his dismissal, Hostgator officials discovered a backdoor application that allowed Gisse to log in to servers from remote locations, including a computer located at the Hetzner Data Center in Nuremberg, Germany. He took pains to disguise his malware as a widely used Unix administration tool to prevent his superiors from discovering the backdoor process, prosecutors said.

"The process was named 'pcre', a common system file, in order to disguise the true purpose of the process which would grant an attacker unauthorized access into Hostgator's computer network," a Houston Police Department investigator and the document's "affiant," Gordon M. Garrett, wrote in an affidavit. "Complainant told affiant he searched Hostgator's computer network and found the unauthorized 'pcre' process installed on 2723 different Hostgator servers within the computer network."

Gisse didn't return a voicemail and e-mail seeking comment for this report. A Court docket shows he is scheduled to be arraigned next month and gives no indication he has entered a plea in the case. He's being held at the Harris County Jail on $20,000 bond, a spokeswoman at the district attorney's office said.

The backdoor allowing near-unfettered "root" access to Apache Web server systems was possible because Gisse obtained a Hostgator digital SSH key and transferred it to computers under his control, including one at efnet.pe, Garrett alleged. "The defendant then attempted to penetrate the Hostgator computer network from 'efnet.pe' using the Hostgator digital SSH key," Garrett wrote.

Hostgator COO Patrick Pelanne, referred to as the "complainant" in the affidavit, told Ars the backdoor was discovered in February 2012, the same week that Gisse was terminated. While his root access gave Gisse access to private data stored on a large number of customer websites, there's no evidence he used it, the Hostgator executive said.

"He did not access customer content," Pelanne told Ars. "We caught it well before he had any chance to do any of that."

Given the rapid discovery, the malware was on Hostgator systems for less than a month. Although the affidavit alleges that the backdoor was discovered in February of 2013, Pelanne said that date is erroneous and is most likely the result of a typo. Harris County prosecutors weren't available to confirm that the 2013 date included in court documents was wrong.

Gisse took other steps to conceal the compromise of Hostgator systems. On February 19, three days after Pelanne said the backdoor came to light, investigators found that two standard network diagnostic tools had been modified on the Web host's network. Specifically, the "ps" and "netstat" programs—which allow administrators to enumerate all running applications and network connections respectively—had been hacked to hide certain activities. Senior Hostgator security personnel "were activated to respond to, identify, and neutralize the intrusion incident," the affidavit said.

While Gisse is presumed innocent until proven otherwise, the unconfirmed narrative provides a potent reminder of the threats that lurk from even mid-level employees inside companies that host sensitive information. Having secret control over 2,700 servers inside a Web hosting provider is no small matter, considering each machine can be used for hundreds or possibly thousands of individual websites. But the alleged series of events also highlights the measures employers can take to keep tabs on rogue workers. Among other things, a desktop monitoring system that took screenshots of employee workstations in one-minute increments helped Hostgator officials quickly zero in on Gisse.

Channel Ars Technica