Hosting company Hostgator hacked, suspect arrested after being "rooted with his own rootkit"

Filed Under: Featured, Law & order

A system administrator - or, more accurately, a former system administrator - from Hostgator, a server hosting company in Houston, Texas, has been arrested for hacking into his former employer's network.

Court documents allege that after Eric Gunnar Grisse, 29, got the sack from his job at Hostgator, he jumped right back into the company's network, using a backdoor Trojan he had planted earlier.

Hosting companies do just what their name suggests: they run racks full of servers, plus a network to connect them all up, and then rent you time and space on one or more of them, so you don't need to own and operate your own IT infrastructure.

The services available typically include: simple websites, where your web pages are handled by a web server that also hosts other user's websites; virtual servers, where virtualisation is used to share out powerful physical servers amongst multiple customers; and dedicated servers, where a specific physical server is provisioned with an operating system and turned over to you almost as if it were your own.

→Web hosting is a bit like renting a bed in a backpackers' dormitory; a virtual server is like a room in a boarding house; and a dedicated server is like an apartment in a high-rise block.

Obviously, if you misconfigure your own hosted setup, you run the risk of being hacked and having your online presence ruined.

Most hosting companies try to prevent you from making egregious mistakes, but if you choose to give edit rights to your web pages to an careless contractor, say, that's your lookout.

At the same time, you put a lot of trust in the security competence of your hosting provider.

After all, if your provider configures its network badly, then other customers might wrongly be able to mess with your servers, even though you set up your parts of the system correctly.

Worse still, hackers who are able to get into the operational innards of a hosting business might be able to mess with any and all of the systems on the network.

Grisse, it is alleged, was able to get unlawful access somewhere between these two levels.

According to the affidavit in this case, Grisse's remote access program was found on 2723 separate servers inside Hostgator's network.

That's about 25% of the servers entrusted to Hostgator, according to a commentator on the online community forum webhostingtalk.com.

The court documents claim, amongst other things, that Grisse:

  • Named his backdoor program pcre, which makes it look vaguely like a commonly-used system library known in full as Perl Compatible Regular Expressions.
  • Altered the system tools ps and netstat, which list running programs and network activity respectively, to hide his own presence. (This makes his hack a "rootkit", in the old-school Unix sense of the word.)
  • Stole a Hostgator SSH login key file so he could continue to authenticate even from outside, after being sacked.

SSH (secure shell) is a ubiquitous and general-purpose way of accessing Unix systems remotely by creating an authenticated and encrypted network connection between two computers. Typically, there are two ways of logging in over SSH: by typing in a traditional username and password, and by using a pre-computed public/private key pair.

The keypair approach is popular with sysadmins because it avoids the need to keep typing in usernames and passwords. You generate a keypair, and upload the public key to a secure area on the server; then you can login from any computer on which the private key file is installed.

You can encrypt the private key if you like, which protects it against theft, but many people don't bother so that they can write automation scripts that use the key to carry out administrative tasks.

Grisse was caught, it is claimed, due to evidence that included:

  • Logs saved as part of a once-a-minute screenshotting tool implemented by Hostgator to keep an audit trail of IT operations. The investigators claim that Grisse expressed the intention to "get himself fired" and to steal data from the company, and also identified logins from his Hostgator account, under the name acdc, to a server in Germany named efnet.pe.
  • An illicit network connection, open at the time of investigation, between Hostgator and efnet.pe. Apparently, the investigators were able to use the connection in reverse to locate a stash of hacking tools, exploits, and data belonging to Hostgator, as well as a logged-in user called acdc.

If the allegations are true, it sounds as though the suspect was hoist by his own petard, or at least rooted with his own rootkit!

, , , ,

You might like

10 Responses to Hosting company Hostgator hacked, suspect arrested after being "rooted with his own rootkit"

  1. well done! Unfortunately, there are always traitors in the companies

  2. Wow talk about disgruntled employees ....

  3. Yardyy · 359 days ago

    I lost all my emails from here some 3 months back, no backups. but most of all communication is atrocious with these cowboys.

  4. bradm · 359 days ago

    Insider threats are often the most serious and damaging to any company since the Insider has knowledge and access an outsider would not normally have. Even when presented with evidence of insider activities most companies do not believe that their "loyal" employees would turn on them.

  5. Wolf_Star · 358 days ago

    Good riddance. People like him give the rest of us technical support people a bad name through his arrogance and deceit. Hopefully he'll find some other worthwhile career once he's out of jail, like mucking out horse stalls or chopping firewood.

  6. hotdoge3 · 351 days ago

    I like that "rooted with his own rootkit"

    in new zealand if you are rooted that's bad but in the us it good

  7. Richard P · 345 days ago

    Please check the spelling of the perp's name. You have Grisse or Gisse; the court document apparently has Grisse.

    • Paul Ducklin · 345 days ago

      Errrr, alleged perp :-)

      I wrote Grisse the first time and hen got it wrong every other time I used the word...now fixed. Thanks.

  8. Ken · 258 days ago

    HostGator doesn't proactively disclose to its customers that its systems have been compromised. This is terrible practice, and is why I forced two of my clients to close an account that they had hosted with HostGator.

    Several email accounts from the first client got shut down for sending spam. A few of those email accounts had randomly generated passwords, and some were only used by servers/appliances on the client's network. The router logs showed no mail being sent from those hosts, so the account was compromised outside of the client's network. Since that many accounts were compromised, and across several OSs, I am fairly certain the failure is on HostGator's end. HostGator, via email and support calls, insisted that the compromise happened on my client's end.

    The second client had the same thing happen, just a few weeks after the first. At that point, I had both cancel their accounts and move to a more reputable hosting service in June.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog