A new Linux backdoor, named PamDOORa, has been detected and poses a real threat to systems with exposed SSH. This malware operates through PAM modules, the core authentication system, intercepting passwords when users log in. Captured credentials are sent to a C&C server controlled by attackers.
How PamDOORa integrates into the authentication process 🛡️
PamDOORa injects itself into the PAM module chain, specifically into the SSH authentication stack. By loading as a legitimate module, it captures the username and password in plain text during login verification. The data is stored in a temporary file and exfiltrated via HTTP requests to a remote domain. Its persistence is achieved by modifying PAM configuration files, such as common-auth, without raising immediate suspicion in routine audits.
The backdoor that crashed the password party 🎭
PamDOORa demonstrates that even Linux, the operating system of those who boast about security, can have its own uninvited guest at the authentication dinner. While users believe their SSH is a fortress, this backdoor acts like a waiter jotting down passwords on a napkin and passing them to the bar owner. That said, at least the attackers have had the courtesy to use PAM, the system's official backdoor, without dirtying the kernel source code.