Former employee charged with installing backdoors on 2,700 Hostgator servers
A former system administrator from popular web hosting company Hostgator has been arrested for unauthorized computer access using a backdoor that he secretly installed before getting fired. Eric Gunnar Grisse, 29, managed to access the network using the login credentials in a SSH key file that he stole from Hostgator, before accessing the backdoor for "root" access to the compromised servers.
According to court documents, Grisse allegedly took a number of steps to mask what he had done, including naming the malware "pcre" to look vaguely like the commonly used Perl Compatible Regular Expressions system library. To throw off investigators, he also altered the system tools ps and netstat, which are used to list running programs and network activity.
Gisse's remote access program was found on 2,723 separate servers inside Hostgator's network--or on about 25 percent of the servers managed by the company, according to a commentator at webhostingtalk.com.
Hostgator says it discovered the backdoor in February 2012, the same week that Grisse was terminated. While it was not clear why it took the company more than a year to press charges, some of the evidence used to support the arrest came from a tool implemented by the company to take screen shots once every minute. Key information was apparently found in some of them to link Grisse to the illicit activity.
Though Grisse is presumed innocent until proven guilty, the incident underscores the extreme damage that an inside attack can cause. And while Hostgator says that customers' files were not accessed, Grisse did have the pertinent access rights to do so if he wished. Ultimately, this case shows the vulnerability of proprietary applications and unprotected source code to rogue employees at a cloud provider.