New PamDOORa Linux PAM Backdoor Enables Persistent SSH Credential Theft
What Happened — Researchers uncovered a novel Linux backdoor named PamDOORa being sold on the Russian cyber‑crime forum Rehub for $1,600. The tool is delivered as a malicious Pluggable Authentication Module (PAM) that grants attackers persistent SSH access through a “magic” password and a hard‑coded TCP port.
Why It Matters for TPRM
- Any third‑party that runs Linux servers (cloud hosts, MSPs, SaaS platforms) can be silently compromised.
- The backdoor harvests SSH credentials, providing attackers with long‑term footholds in critical environments.
- Because PAM modules load at authentication time, detection is difficult without dedicated integrity monitoring.
Who Is Affected — Cloud‑infrastructure providers, Managed Service Providers (MSPs), SaaS vendors, and any organization that relies on Linux‑based workloads.
Recommended Actions —
- Inventory all PAM modules on Linux assets and verify their cryptographic signatures.
- Deploy file‑integrity monitoring (e.g., Tripwire, OSSEC) to alert on unauthorized PAM changes.
- Enforce multi‑factor authentication for SSH and rotate privileged credentials regularly.
- Block the undocumented TCP port used by PamDOORa (default 4242) at the network perimeter.
Technical Notes — Attack vector: malicious PAM module (malware) installed via compromised package or insider. No public CVE; the backdoor stores harvested SSH usernames/passwords and can be used to exfiltrate additional data. Source: The Hacker News