Hosting company Hostgator hacked, suspect arrested after being “rooted with his own rootkit”

A system administrator – or, more accurately, a former system administrator – from Hostgator, a server hosting company in Houston, Texas, has been arrested for hacking into his former employer’s network.

Court documents allege that after Eric Gunnar Grisse, 29, got the sack from his job at Hostgator, he jumped right back into the company’s network, using a backdoor Trojan he had planted earlier.

Hosting companies do just what their name suggests: they run racks full of servers, plus a network to connect them all up, and then rent you time and space on one or more of them, so you don’t need to own and operate your own IT infrastructure.

The services available typically include: simple websites, where your web pages are handled by a web server that also hosts other user’s websites; virtual servers, where virtualisation is used to share out powerful physical servers amongst multiple customers; and dedicated servers, where a specific physical server is provisioned with an operating system and turned over to you almost as if it were your own.

→Web hosting is a bit like renting a bed in a backpackers’ dormitory; a virtual server is like a room in a boarding house; and a dedicated server is like an apartment in a high-rise block.

Obviously, if you misconfigure your own hosted setup, you run the risk of being hacked and having your online presence ruined.

Most hosting companies try to prevent you from making egregious mistakes, but if you choose to give edit rights to your web pages to an careless contractor, say, that’s your lookout.

At the same time, you put a lot of trust in the security competence of your hosting provider.

After all, if your provider configures its network badly, then other customers might wrongly be able to mess with your servers, even though you set up your parts of the system correctly.

Worse still, hackers who are able to get into the operational innards of a hosting business might be able to mess with any and all of the systems on the network.

Grisse, it is alleged, was able to get unlawful access somewhere between these two levels.

According to the affidavit in this case, Grisse’s remote access program was found on 2723 separate servers inside Hostgator’s network.

That’s about 25% of the servers entrusted to Hostgator, according to a commentator on the online community forum

The court documents claim, amongst other things, that Grisse:

  • Named his backdoor program pcre, which makes it look vaguely like a commonly-used system library known in full as Perl Compatible Regular Expressions.
  • Altered the system tools ps and netstat, which list running programs and network activity respectively, to hide his own presence. (This makes his hack a “rootkit”, in the old-school Unix sense of the word.)
  • Stole a Hostgator SSH login key file so he could continue to authenticate even from outside, after being sacked.

SSH (secure shell) is a ubiquitous and general-purpose way of accessing Unix systems remotely by creating an authenticated and encrypted network connection between two computers. Typically, there are two ways of logging in over SSH: by typing in a traditional username and password, and by using a pre-computed public/private key pair.

The keypair approach is popular with sysadmins because it avoids the need to keep typing in usernames and passwords. You generate a keypair, and upload the public key to a secure area on the server; then you can login from any computer on which the private key file is installed.

You can encrypt the private key if you like, which protects it against theft, but many people don’t bother so that they can write automation scripts that use the key to carry out administrative tasks.

Grisse was caught, it is claimed, due to evidence that included:

  • Logs saved as part of a once-a-minute screenshotting tool implemented by Hostgator to keep an audit trail of IT operations. The investigators claim that Grisse expressed the intention to “get himself fired” and to steal data from the company, and also identified logins from his Hostgator account, under the name acdc, to a server in Germany named
  • An illicit network connection, open at the time of investigation, between Hostgator and Apparently, the investigators were able to use the connection in reverse to locate a stash of hacking tools, exploits, and data belonging to Hostgator, as well as a logged-in user called acdc.

If the allegations are true, it sounds as though the suspect was hoist by his own petard, or at least rooted with his own rootkit!