7/8/13 Former Hostgator employee arrested, charged with rooting 2,700 servers | Ars Technica
arstechnica.com/security/2013/04/former-employee-arrested-charged-with-rooting-2700-hostgator-servers/ 1/3
Former Hostgator employee arrested,charged with rooting 2,700 serversProsecutors: Backdoor and digital key gave him near unfettered access.
Aurich Lawson
A former employee of Hostgator has been arrested and charged with installing a backdoor that gave
him almost unfettered control over more than 2,700 servers belonging to the widely used Web hosting
provider.
Eric Gunnar Gisse, 29, of San Antonio, Texas, was charged with felony breach of computer security
by the district attorney's office of Harris County in Texas, according to court documents. He worked as
a medium-level administrator from September 2011 until he was terminated on February 15, 2012,
according to prosecutors and a company executive. A day after his dismissal, Hostgator officials
discovered a backdoor application that allowed Gisse to log in to servers from remote locations,
including a computer located at the Hetzner Data Center in Nuremberg, Germany. He took pains to
disguise his malware as a widely used Unix administration tool to prevent his superiors from
discovering the backdoor process, prosecutors said.
"The process was named 'pcre', a common system file, in order to disguise the true purpose of the
process which would grant an attacker unauthorized access into Hostgator's computer network," a
Houston Police Department investigator and the document's "affiant," Gordon M. Garrett, wrote in an
affidavit. "Complainant told affiant he searched Hostgator's computer network and found the
unauthorized 'pcre' process installed on 2723 different Hostgator servers within the computer
network."
Gisse didn't return a voicemail and e-mail seeking comment for this report. A Court docket shows he
is scheduled to be arraigned next month and gives no indication he has entered a plea in the case.
He's being held at the Harris County Jail on $20,000 bond, a spokeswoman at the district attorney's
office said.
The backdoor allowing near-unfettered "root" access to Apache Web server systems was possible
because Gisse obtained a Hostgator digital SSH key and transferred it to computers under his
control, including one at efnet.pe, Garrett alleged. "The defendant then attempted to penetrate the
THE FUTURE OF NETWORKING »
» Brocade Helps Hospital Navigate theRapids of Network Change
More coming soon …
A special series powered by
TOP FEATURE STORY
WATCH ARS VIDEO
STAY IN THE KNOW WITH
RISK ASSESSMENT / SECURITY & HACKTIVISMMain Menu My Stories: 25 Forums Subscribe Video Log In▼ ▼ Search
by Dan Goodin - Apr 19 2013, 12:51pm EDTBLACK HAT INTERNET CRIME 69
FEATURE STORY (3 PAGES)
How the attempt tosequence “Bigfoot’sgenome” went badly offtrackHumans interbred with an unknown hominin in
Europe then crossed the Bering Sea—say
what?
Butterfly Labs 5GHs BitcoinMinerArs gives you a brief video walkthrough of the
Butterfly Labs 5GHs Bitcoin miner.
7/8/13 Former Hostgator employee arrested, charged with rooting 2,700 servers | Ars Technica
arstechnica.com/security/2013/04/former-employee-arrested-charged-with-rooting-2700-hostgator-servers/ 2/3
← OLDER STORY NEWER STORY →
Hostgator computer network from 'efnet.pe' using the Hostgator digital SSH key," Garrett wrote.
Hostgator COO Patrick Pelanne, referred to as the "complainant" in the affidavit, told Ars the
backdoor was discovered in February 2012, the same week that Gisse was terminated. While his root
access gave Gisse access to private data stored on a large number of customer websites, there's no
evidence he used it, the Hostgator executive said.
"He did not access customer content," Pelanne told Ars. "We caught it well before he had any chance
to do any of that."
Given the rapid discovery, the malware was on Hostgator systems for less than a month. Although the
affidavit alleges that the backdoor was discovered in February of 2013, Pelanne said that date is
erroneous and is most likely the result of a typo. Harris County prosecutors weren't available to
confirm that the 2013 date included in court documents was wrong.
Gisse took other steps to conceal the compromise of Hostgator systems. On February 19, three days
after Pelanne said the backdoor came to light, investigators found that two standard network
diagnostic tools had been modified on the Web host's network. Specifically, the "ps" and "netstat"
programs—which allow administrators to enumerate all running applications and network connections
respectively—had been hacked to hide certain activities. Senior Hostgator security personnel "were
activated to respond to, identify, and neutralize the intrusion incident," the affidavit said.
While Gisse is presumed innocent until proven otherwise, the unconfirmed narrative provides a potent
reminder of the threats that lurk from even mid-level employees inside companies that host sensitive
information. Having secret control over 2,700 servers inside a Web hosting provider is no small
matter, considering each machine can be used for hundreds or possibly thousands of individual
websites. But the alleged series of events also highlights the measures employers can take to keep
tabs on rogue workers. Among other things, a desktop monitoring system that took screenshots of
employee workstations in one-minute increments helped Hostgator officials quickly zero in on Gisse.
Dan Goodin / Dan is the IT Security Editor at Ars Technica, w hich he joined in 2012 after w orking for The Register, the
Associated Press, Bloomberg New s, and other publications.
YOU MAY ALSO LIKE
LATEST NEWS
Possible explanation for radiobursts: Meet the “blitzar”
Deals with foreign cableowners, secret court rulingsbroaden NSA spying potential
Study: Hawk moths use sonarjamming genitals in fightagainst bats
SEARCH ON
“Hot latex beds”: The strangestsearches that bring readers to Ars
Bolivia joins the party, alsogrants asylum for EdwardSnowden
LIKE TRACKING COOKIES FOR YOUR IRL TRAVELS
Japanese railway company plans tosell data from e-ticket records
READER COMMENTS 69
7/8/13 Former Hostgator employee arrested, charged with rooting 2,700 servers | Ars Technica
arstechnica.com/security/2013/04/former-employee-arrested-charged-with-rooting-2700-hostgator-servers/ 3/3
SITE LINKS
About Us
Advertise with us
Contact Us
Reprints
SUBSCRIPTIONS
Subscribe to Ars
MORE READING
RSS Feeds
Newsletters
CONDE NAST SITES
Wired
Vanity Fair
Style
Details
Visit our sister sites
Subscribe to a magazine
VIEW MOBILE SITE
© 2013 Condé Nast. All rights reserv edUse of this Site constitutes acceptance of our User Agreement (effectiv e 3/21/12) and Priv acy Policy (effectiv e 3/21/12), and Ars Technica Addendum (effectiv e 5/17/2012)Your California Priv acy RightsThe material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast.
Ad Choices