PamDOORa targets PAM auth

Linux authentication is usually treated like plumbing. Quiet, boring, trusted. But that trust cuts both ways — if someone gets root on a box and swaps in a malicious PAM module, they are no longer just living on the system. They are sitting directly in the path where real users type real passwords. That is the hook in PamDOORa, a newly surfaced Linux backdoor Flare.io says is being sold on the Russian-language Rehub forum by a seller using the name “darkworm.” ### What is PAM, exactly? PAM — Pluggable Authentication Modules — is the layer Linux services use to check who you are. SSH, local login, desktop sign-in, FTP, and other services can all hand authentication off to PAM instead of each building its own logic. That modular design is why admins can swap in local passwords, LDAP, Kerberos, certificates, or other methods without rewriting every app. It is also why a poisoned module is so dangerous. (thehackernews.com) ### Why is that a better place to hide? Because PAM sees credentials in motion. It does not need to crack hashes or steal keys from disk if it can just watch authentication happen live. Group-IB has been warning for a while that malicious PAM changes can create backdoors and harvest credentials because the framework handles plaintext values during the auth flow. Basically, the attacker moves from “steal secrets at rest” to “stand in the doorway and read them as they pass.” (group-ib.com) ### What does PamDOORa actually do? Flare.io’s writeup, echoed in follow-on coverage, says PamDOORa is a PAM-based post-exploitation toolkit for Linux x86_64 systems. It gives the operator persistent SSH access using a magic password plus a specific TCP port, and it can also collect credentials from legitimate users authenticating through the compromised machine. That makes it both a backdoor and a credential tap. (group-ib.com) ### Does this mean it breaks in by itself? No — and that distinction matters. The reporting says PamDOORa is a post-exploitation tool, which means the attacker likely needs root first through some other route, then installs the malicious PAM module. So this is not the initial breach. It is what an intruder deploys after winning enough access to tamper with the authentication stack. (thehackernews.com) ### Why are defenders uneasy about this? Because once malware sits inside PAM, normal trust assumptions get weird fast. Login prompts still work. Users still get in. SSH still looks normal. But every successful authentication can become intelligence for the attacker, and the same foothold can preserve future access even if some other malware gets cleaned up. That is a nastier failure mode than a noisy daemon or an obviously rogue process. (thehackernews.com) ### Is this part of a pattern? Yes. PamDOORa is not the first Linux backdoor to abuse PAM. Coverage of the earlier “Plague” malware described a similar idea — covert SSH access, anti-forensics, and deep integration into the authentication path. PamDOORa looks like the same strategic move: stop fighting around the edge of the system and move into the identity layer itself. (thehackernews.com) ### What should admins take from this? The big lesson is simple: hardening SSH alone is not enough if the host is already rooted. You also need integrity monitoring around PAM modules and configs, tight controls on who can change them, and admin patterns that reduce the value of captured passwords in the first place. Bastions, short-lived credentials, and stronger non-password flows all get more interesting when the login stack itself becomes the target. (thehackernews.com) ### Bottom line PamDOORa matters because it turns Linux authentication into the attack surface, not just the thing being attacked. Once that happens, every normal login can quietly work for the intruder too. (thehackernews.com) (group-ib.com)