A sophisticated new Linux backdoor has been identified that targets the Pluggable Authentication Module ❨PAM❩ stack to maintain persistence and harvest SSH credentials. This post-exploitation toolkit is designed to remain silent while collecting the credentials of every legitimate user who authenticates to the system.
PamDOORa, currently being sold on cybercrime forums, allows an attacker to authenticate to compromised servers via OpenSSH using a “magic password” combined with a specific TCP port trigger. Unlike traditional backdoors that spawn new processes, PamDOORa integrates directly into the system authentication workflow, making it exceptionally difficult to detect with standard process monitoring tools.
The use of PAM for persistence is a high-stealth tactic that allows an adversary to “live off the authentication.” By harvesting valid SSH credentials, the attacker can move laterally through the internal network using legitimate accounts, effectively bypassing identity-based anomaly detection.
– Periodically verify the integrity of PAM configuration files and associated library binaries ❨e.g., pam_unix.so❩.
– Implement system-level file integrity monitoring ❨FIM❩ to detect unauthorized changes to the /etc/pam.d/ directory.
– Utilize centralized logging and analyze SSH authentication patterns for the use of non-standard ports or anomalous “magic” password triggers.
– Transition to certificate-based SSH authentication to neutralize the effectiveness of password-harvesting backdoors.
When the authentication stack itself is compromised, the primary trust boundary of the Linux server is neutralized; defense must shift to hardware-backed identity. #CodeDefence #Linux #Backdoor #SSH #PamDOORa
/
