All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Former Hostgator employee arrested, charged with rooting 2,700 servers
A former employee of Hostgator has been arrested and charged with installing a backdoor that gave him almost unfettered control over more than 2,700 servers belonging to the widely used Web hosting provider.
Eric Gunnar Gisse, 29, of San Antonio, Texas, was charged with felony breach of computer security by the district attorney's office of Harris County in Texas, according to court documents. He worked as a medium-level administrator from September 2011 until he was terminated on February 15, 2012, according to prosecutors and a company executive. A day after his dismissal, Hostgator officials discovered a backdoor application that allowed Gisse to log in to servers from remote locations, including a computer located at the Hetzner Data Center in Nuremberg, Germany. He took pains to disguise his malware as a widely used Unix administration tool to prevent his superiors from discovering the backdoor process, prosecutors said.
"The process was named 'pcre', a common system file, in order to disguise the true purpose of the process which would grant an attacker unauthorized access into Hostgator's computer network," a Houston Police Department investigator and the document's "affiant," Gordon M. Garrett, wrote in an affidavit. "Complainant told affiant he searched Hostgator's computer network and found the unauthorized 'pcre' process installed on 2723 different Hostgator servers within the computer network."
Gisse didn't return a voicemail and e-mail seeking comment for this report. A Court docket shows he is scheduled to be arraigned next month and gives no indication he has entered a plea in the case. He's being held at the Harris County Jail on $20,000 bond, a spokeswoman at the district attorney's office said.
The backdoor allowing near-unfettered "root" access to Apache Web server systems was possible because Gisse obtained a Hostgator digital SSH key and transferred it to computers under his control, including one at efnet.pe, Garrett alleged. "The defendant then attempted to penetrate the Hostgator computer network from 'efnet.pe' using the Hostgator digital SSH key," Garrett wrote.
Hostgator COO Patrick Pelanne, referred to as the "complainant" in the affidavit, told Ars the backdoor was discovered in February 2012, the same week that Gisse was terminated. While his root access gave Gisse access to private data stored on a large number of customer websites, there's no evidence he used it, the Hostgator executive said.
"He did not access customer content," Pelanne told Ars. "We caught it well before he had any chance to do any of that."
Given the rapid discovery, the malware was on Hostgator systems for less than a month. Although the affidavit alleges that the backdoor was discovered in February of 2013, Pelanne said that date is erroneous and is most likely the result of a typo. Harris County prosecutors weren't available to confirm that the 2013 date included in court documents was wrong.
Gisse took other steps to conceal the compromise of Hostgator systems. On February 19, three days after Pelanne said the backdoor came to light, investigators found that two standard network diagnostic tools had been modified on the Web host's network. Specifically, the "ps" and "netstat" programs—which allow administrators to enumerate all running applications and network connections respectively—had been hacked to hide certain activities. Senior Hostgator security personnel "were activated to respond to, identify, and neutralize the intrusion incident," the affidavit said.
While Gisse is presumed innocent until proven otherwise, the unconfirmed narrative provides a potent reminder of the threats that lurk from even mid-level employees inside companies that host sensitive information. Having secret control over 2,700 servers inside a Web hosting provider is no small matter, considering each machine can be used for hundreds or possibly thousands of individual websites. But the alleged series of events also highlights the measures employers can take to keep tabs on rogue workers. Among other things, a desktop monitoring system that took screenshots of employee workstations in one-minute increments helped Hostgator officials quickly zero in on Gisse.
Comments
Interesting, I wonder if employees knew about this.
What's next ?
Interesting read, glad they caught him.
When was whmcs hacked?
Where'd you get that from and have you been in a cave?
They were hacked in May of 2012.
Ooh this guy was caught in feb 2012. So whmcs got hacked 3 months later, while being hosted by hostgator. Guess security got no better.
'pcre' a common system file??? o_O
perl sounds more common to me... or sth like that
'pcre' is pretty common, even more so in a large entity like HostGator.
PCRE refers to the Perl Compatible Regular Expressions library, and is in fact, not very common for a standalone process/file to be named as.
But eh, probably clueless 'executives' providing tech news, what else is new?
@Wintereise woah we got a genius, damn you should be the hostgator ceo :P
Was there really a need for the off-topic, smartass comment?
Not like we have any issues with threads being derailed without them...
Gnerd @Wintereise. Crooked tracks cause the derailings around here
So he just kept a valid SSH Key.... Simple enough.
5 month employee... Yeah, where did they find this fellow? LET?
Funny if he's lingering here as an admin in one of the companies... Ho hum...
Fair enough, mm.
So ppl found on LET are not trustworthy
Well there are some good people here too @Maunique. But I don't think I need to take my shoes off to get counting