Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Subscribe to our newsletter

Advertise on LowEndTalk.com

Latest LowEndBox Offers

    Former Hostgator employee arrested, charged with rooting 2,700 servers
    New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

    Former Hostgator employee arrested, charged with rooting 2,700 servers

    sonicsonic Member
    edited April 2013 in General

    http://arstechnica.com/security/2013/04/former-employee-arrested-charged-with-rooting-2700-hostgator-servers/

    A former employee of Hostgator has been arrested and charged with installing a backdoor that gave him almost unfettered control over more than 2,700 servers belonging to the widely used Web hosting provider.

    Eric Gunnar Gisse, 29, of San Antonio, Texas, was charged with felony breach of computer security by the district attorney's office of Harris County in Texas, according to court documents. He worked as a medium-level administrator from September 2011 until he was terminated on February 15, 2012, according to prosecutors and a company executive. A day after his dismissal, Hostgator officials discovered a backdoor application that allowed Gisse to log in to servers from remote locations, including a computer located at the Hetzner Data Center in Nuremberg, Germany. He took pains to disguise his malware as a widely used Unix administration tool to prevent his superiors from discovering the backdoor process, prosecutors said.

    "The process was named 'pcre', a common system file, in order to disguise the true purpose of the process which would grant an attacker unauthorized access into Hostgator's computer network," a Houston Police Department investigator and the document's "affiant," Gordon M. Garrett, wrote in an affidavit. "Complainant told affiant he searched Hostgator's computer network and found the unauthorized 'pcre' process installed on 2723 different Hostgator servers within the computer network."

    Gisse didn't return a voicemail and e-mail seeking comment for this report. A Court docket shows he is scheduled to be arraigned next month and gives no indication he has entered a plea in the case. He's being held at the Harris County Jail on $20,000 bond, a spokeswoman at the district attorney's office said.

    The backdoor allowing near-unfettered "root" access to Apache Web server systems was possible because Gisse obtained a Hostgator digital SSH key and transferred it to computers under his control, including one at efnet.pe, Garrett alleged. "The defendant then attempted to penetrate the Hostgator computer network from 'efnet.pe' using the Hostgator digital SSH key," Garrett wrote.

    Hostgator COO Patrick Pelanne, referred to as the "complainant" in the affidavit, told Ars the backdoor was discovered in February 2012, the same week that Gisse was terminated. While his root access gave Gisse access to private data stored on a large number of customer websites, there's no evidence he used it, the Hostgator executive said.

    "He did not access customer content," Pelanne told Ars. "We caught it well before he had any chance to do any of that."

    Given the rapid discovery, the malware was on Hostgator systems for less than a month. Although the affidavit alleges that the backdoor was discovered in February of 2013, Pelanne said that date is erroneous and is most likely the result of a typo. Harris County prosecutors weren't available to confirm that the 2013 date included in court documents was wrong.

    Gisse took other steps to conceal the compromise of Hostgator systems. On February 19, three days after Pelanne said the backdoor came to light, investigators found that two standard network diagnostic tools had been modified on the Web host's network. Specifically, the "ps" and "netstat" programs—which allow administrators to enumerate all running applications and network connections respectively—had been hacked to hide certain activities. Senior Hostgator security personnel "were activated to respond to, identify, and neutralize the intrusion incident," the affidavit said.

    While Gisse is presumed innocent until proven otherwise, the unconfirmed narrative provides a potent reminder of the threats that lurk from even mid-level employees inside companies that host sensitive information. Having secret control over 2,700 servers inside a Web hosting provider is no small matter, considering each machine can be used for hundreds or possibly thousands of individual websites. But the alleged series of events also highlights the measures employers can take to keep tabs on rogue workers. Among other things, a desktop monitoring system that took screenshots of employee workstations in one-minute increments helped Hostgator officials quickly zero in on Gisse.

    Gapps legacy 100/200 users cheap 4 sale. PM

    Comments

    • @sonic said: Among other things, a desktop monitoring system that took screenshots of employee workstations in one-minute increments helped Hostgator officials quickly zero in on Gisse.

      Interesting, I wonder if employees knew about this.

      vpsBoard.com - Now with over 450 members! A friendly community with active discussion. Come join us!

      IRC.FREENODE.NET #vpsBoard - Drop by and say, 'Hello'.
    • What's next ?

      Anyone selling Blesta Owned Lifetime Under $250? | Regards.

    • Interesting read, glad they caught him.

      Los Angeles VPS Inside of QuadraNet Datacenter http://semoweb.com/vps.html

    • When was whmcs hacked?

    • NickONickO Member

      @24khost said: When was whmcs hacked?

      Where'd you get that from and have you been in a cave?

      They were hacked in May of 2012.

    • Ooh this guy was caught in feb 2012. So whmcs got hacked 3 months later, while being hosted by hostgator. Guess security got no better.

    • 'pcre' a common system file??? o_O

      perl sounds more common to me... or sth like that

    • vapornodevapornode Member, Provider

      'pcre' is pretty common, even more so in a large entity like HostGator.

      VaporNode | Tampa Florida VPS, Resource Bundles, Dedicated Servers, Colocation | Proactive Management, DDoS Protection
    • WintereiseWintereise Member
      edited April 2013

      PCRE refers to the Perl Compatible Regular Expressions library, and is in fact, not very common for a standalone process/file to be named as.

      But eh, probably clueless 'executives' providing tech news, what else is new?

      -- BOFH

    • EpidriveEpidrive Member, Provider

      @Wintereise woah we got a genius, damn you should be the hostgator ceo :P

    • WintereiseWintereise Member
      edited April 2013

      Was there really a need for the off-topic, smartass comment?

      Not like we have any issues with threads being derailed without them...

      -- BOFH

    • Gnerd @Wintereise. Crooked tracks cause the derailings around here :)

      So he just kept a valid SSH Key.... Simple enough.

      5 month employee... Yeah, where did they find this fellow? LET?

      Funny if he's lingering here as an admin in one of the companies... Ho hum...

    • Fair enough, mm.

      -- BOFH

    • @pubcrawler said: Yeah, where did they find this fellow? LET?

      So ppl found on LET are not trustworthy :(

      Extremist conservative user, I wish to preserve human and civil rights, free speech, freedom of the press and worship, rule of law, democracy, peace and prosperity, social mobility, etc. Now you can draw your guns.

    • Well there are some good people here too @Maunique. But I don't think I need to take my shoes off to get counting ;)

    Sign In or Register to comment.