Cybersecurity researchers have uncovered PamDOORa, a sophisticated Linux backdoor masquerading as a legitimate PAM module to hijack SSH credentials. Sold for $1,600 on the Rehub Russian cybercrime forum by threat actor “darkworm,” this tool grants attackers persistent remote access via a hardcoded “magic password” paired with a custom TCP port. Linux administrators now face a stealthy threat that bypasses traditional detection, embedding directly into the system’s authentication stack.
This backdoor exploits the Pluggable Authentication Module (PAM) framework, a core Linux component handling user logins, sudo commands, and SSH sessions. By injecting malicious code into PAM, PamDOORa intercepts credentials without altering binaries or spawning suspicious processes—evading tools like AIDE file integrity checks or basic endpoint detection. Once installed, it validates incoming SSH connections against the secret combo, logging valid creds to a hidden file while maintaining a clean system appearance.
PamDOORa Mechanics Exposed
PamDOORa operates as a post-exploitation toolkit, loading dynamically during authentication flows. Key technical traits include:
- Magic password validation: A fixed string checked server-side, ignoring standard PAM stacks like pam_unix or pam_ldap.
- TCP port binding: Listens on a non-standard port (e.g., above 1024) for backdoor sessions, separate from port 22.
- Credential exfiltration: Dumps usernames, passwords, and keys to attacker-controlled channels without network beacons that trigger IDS alerts.
- Persistence via PAM: Survives reboots by embedding in /etc/pam.d configs, mimicking legit modules like pam_limits.so.
Attackers deploy it post-initial compromise, often via supply-chain attacks or misconfigured servers. Unlike rootkits that hook syscalls, PamDOORa’s subtlety relies on PAM’s modularity, a design strength turned vulnerability. For deeper PAM internals, see the official Linux-PAM documentation.
Detection Challenges for Sysadmins
Spotting PamDOORa demands scrutiny beyond logs. Standard SSH monitoring misses it since traffic blends with normal logins. Indicators include:
- Anomalous entries in /etc/pam.d/sshd or /etc/pam.d/common-auth.
- Unexpected TCP listeners via `ss -tuln` or `netstat`.
- Magic password traces in strace outputs during auth tests.
Tools like Lynis audit PAM configs, but manual review of module paths is essential. Integrate this with strategies for spotting deceptive security threats in credential systems. Network engineers should enforce mTLS for SSH and segment PAM-managed services using zero-trust principles.
Mitigation Strategies Now
IT teams must act decisively:
- Audit PAM stacks: Run `pamtester` against custom modules; remove unsigned ones.
- Harden SSH: Disable password auth via /etc/ssh/sshd_config (PasswordAuthentication no), mandate keys with `AuthorizedKeysCommand`.
- Monitor anomalies: Deploy OSSEC or Falco for PAM hooks; alert on config drifts.
- Containerize services: Shift SSH to systemd-nspawn or Docker, isolating PAM exposure.
For enterprises, implement automated compliance checks reconciling auth logs against baselines. Rotate all SSH keys immediately if exposure suspected.
Final Thoughts
PamDOORa signals a shift: attackers now weaponize Linux’s modular auth for persistence, challenging defenders reliant on binary scans. Enterprises running RHEL, Ubuntu, or Debian servers—especially in hybrid clouds—face elevated risks from forum-sourced tools like this $1,600 offering. Prioritize PAM integrity in your next pentest.
Forward, expect more PAM abuse as Linux dominates edge and IoT. IT pros: script weekly PAM audits into Ansible playbooks, and push vendors for signed modules. This isn’t a one-off; it’s a blueprint for credential theft at scale.
TREND STATISTICS