Flare.io threat intelligence researchers have published analysis of PamDOORa, a Linux post-exploitation toolkit sold on the โRehubโ Russian-language cybercrime forum for approximately $1,600. PamDOORa installs as a malicious Pluggable Authentication Module (PAM) on Linux systems, providing a persistent backdoor with hidden SSH access and credential harvesting capabilities that survive reboots and standard service restarts.
PAM Module Abuse as a Persistence Mechanism
PAM (Pluggable Authentication Module) is the Linux authentication framework that handles user login, password verification, and session management across SSH, sudo, graphical logins, and other authentication points. PAM modules are shared libraries loaded by the PAM framework during authentication events โ allowing system administrators to customise authentication behaviour (adding MFA requirements, for example).
PamDOORa exploits this mechanism by installing a malicious PAM module (pam_systemd_custom.so) into the systemโs PAM library directory and adding a reference to it in /etc/pam.d/ configuration files. Because the malicious module is loaded by the PAM framework โ a legitimate system process โ it operates with the same trust level as legitimate PAM modules.
The malicious module performs two functions:
1. Credential harvesting: On every authentication event processed through PAM (SSH logins, su/sudo, screen unlocks), PamDOORa intercepts the plaintext password being verified and appends it to an encrypted log file alongside the username, source IP, and timestamp. This collects credentials for all users who authenticate to the system โ including privileged accounts and service accounts that use PAM for authentication.
2. Magic password backdoor: PamDOORa accepts a specific hardcoded โmagic passwordโ that causes it to return authentication success regardless of what the correct password is โ effectively creating a hidden password that authenticates as any user on the system. The magic password is configurable at install time. This provides the attacker with persistent SSH access as any user on the system even after the original exploitation path is remediated.
Additionally, PamDOORa opens a hidden TCP listening port for a secondary access mechanism that does not require SSH infrastructure at all โ providing a fallback in case SSH access is restricted.
Detection
PamDOORa is designed to blend with legitimate PAM infrastructure. Detection requires:
PAM library inspection: List all PAM modules in /lib/security/, /lib/x86_64-linux-gnu/security/, or the equivalent platform path, and verify each against the package managerโs file ownership database:
dpkg -S /lib/security/*.so # Debian/Ubuntu
rpm -qf /lib/security/*.so # RHEL/CentOS/FedoraAny PAM module not owned by a legitimate package should be investigated.
PAM configuration review: Check all files in /etc/pam.d/ for unexpected module references. Legitimate PAM configurations reference only system-package-managed modules.
SIEM rules for PAM anomalies: Authentication events logged via PAM (visible in /var/log/auth.log or /var/log/secure) for the magic password or for authentication success at unusual hours from unexpected source IPs warrant investigation.
File integrity monitoring: Configuring AIDE or a similar file integrity monitoring tool to alert on changes to /lib/security/, /etc/pam.d/, and other authentication-critical paths provides detection for PAM module installation post-compromise.
Forensic Implications
The credential harvesting behaviour of PamDOORa means that any system on which it is confirmed to have operated should be treated as having had all user passwords compromised โ regardless of how long the backdoor was in place. Password resets for all accounts that authenticated to affected systems are required as part of remediation.
The commercial availability of a polished PAM backdoor at a price point of $1,600 indicates that PAM module abuse for persistence has moved from an advanced technique to a commodity tool accessible to criminal actors without deep Linux expertise.
Share this article