PamDOORa: The New Linux Backdoor Hijacking SSH via PAM Modules

In the shadowy corners of the cybercrime underground, a new threat has emerged. Known as PamDOORa, this Linux backdoor is being marketed on the Russian Rehub forum by a threat actor named 'darkworm' for a hefty $1,600. Unlike typical malware, PamDOORa is not just any backdoor—it's a sophisticated Pluggable Authentication Module (PAM)-based toolkit that allows attackers to maintain persistent SSH access using a secret password and a specific TCP port. Below, we answer key questions about this alarming development.

What is PamDOORa and how does it work?

PamDOORa is a Linux backdoor that functions as a post-exploitation toolkit built on top of the Pluggable Authentication Module (PAM) framework. Once installed on a compromised system, it intercepts the standard SSH authentication process. Instead of relying on common backdoor techniques, PamDOORa uses a magic password—a secret string known only to the attacker—combined with a specific TCP port. When a connection attempt uses this magic password on the designated port, the backdoor grants immediate root-level SSH access, bypassing normal user credentials. This design makes it extremely stealthy because it blends into legitimate PAM operations, evading detection by traditional security tools that focus on file signatures or network anomalies.

PamDOORa: The New Linux Backdoor Hijacking SSH via PAM Modules — Source: feeds.feedburner.com

Who is behind PamDOORa and where is it sold?

The threat actor behind PamDOORa uses the alias darkworm and is actively advertising this tool on the Rehub Russian cybercrime forum. The backdoor is priced at $1,600, indicating it is aimed at skilled adversaries who seek a persistent, hard-to-detect foothold in Linux environments. Rehub is known for hosting advanced malware and exploit kits, catering to a community of cybercriminals who specialize in targeted attacks. Darkworm has not publicly disclosed their real identity or background, but the sophistication of PamDOORa suggests a deep understanding of Linux internals, especially the PAM subsystem.

Why is PAM a critical component of this backdoor?

PAM (Pluggable Authentication Module) is a core Linux mechanism that handles authentication for services like SSH, login, and sudo. By embedding malicious code into the PAM library, PamDOORa can intercept every authentication attempt on the system without raising red flags. Because PAM is trusted by all applications, any modification to it—especially adding a backdoor—gives attackers a powerful persistence mechanism that survives reboots and software updates. Moreover, since PAM modules are often loaded even before the attacker's code is executed, the backdoor can operate at a low level, making it difficult for antivirus or endpoint detection systems to remove it without corrupting the entire authentication system.

How does the magic password and TCP port combination enable persistent access?

PamDOORa requires two specific inputs to trigger its backdoor: a magic password and a particular TCP port. The magic password is a secret string chosen by the attacker and hardcoded into the malicious PAM module. When an SSH connection arrives on the designated port (for example, port 22 or a non-standard high port), PamDOORa checks the submitted password. If it matches the magic string, the backdoor authenticates the user immediately, even if the username does not exist or the password is incorrect. This combination ensures that only the attacker—who knows both the port and the password—can activate the backdoor, while legitimate users continue to authenticate normally. The result is a stealthy persistent access that can be used repeatedly without triggering any alarms.

What are the implications for SSH security?

SSH is a standardized protocol used for secure remote administration of Linux servers. The existence of PamDOORa shows that even well-vetted authentication mechanisms can be subverted at the module level. Once a system is compromised, attackers can use this backdoor to steal additional SSH credentials by logging all plaintext passwords that pass through the infected PAM module. This can lead to rapid lateral movement within a network, as stolen credentials can be reused on other machines. Furthermore, because PamDOORa does not rely on network-level anomalies like reverse shells, it can bypass firewalls and intrusion detection systems that monitor for outbound connections. Organizations that depend solely on SSH for remote access must now consider PAM integrity as a critical attack surface.

How can organizations defend against PamDOORa?

Defending against PamDOORa requires a multi-layered approach. First, maintain strict file integrity monitoring for PAM library files (e.g., /lib/security/ and /etc/pam.d/). Any unexpected changes should trigger an immediate investigation. Second, use system hardening tools like SELinux or AppArmor to restrict what PAM modules can access. Third, implement multi-factor authentication for SSH so that even if a backdoor intercepts the password, a second factor is still required. Fourth, regularly audit system logs for unusual SSH connections, especially those using non-standard ports. Finally, keep the operating system and all PAM-related packages up-to-date to patch known vulnerabilities that might be exploited to install malicious modules in the first place. Proactive monitoring and minimal trust in default authentication pathways are key to staying ahead of this threat.