You type your SSH password, you press enter, you are logged in, everything seems normal, but someone else just logged in without any password at all, they typed a "magic password," and the server opened its doors like they were the admin
This is not a vulnerability in SSH itself, it is a backdoor called PamDOORa, and it hides inside one of the most trusted components of any Linux system
Let me explain how it works.
What Is PamDOORa
PamDOORa is a malicious PAM (Pluggable Authentication Module) backdoor discovered by security researchers, it targets Linux systems and gives attackers persistent, stealthy access via SSH
What PAM normally does:
|
Function |
Description |
|
Authentication |
Verifies passwords, biometrics, tokens |
|
Account management |
Checks expiry, time restrictions |
|
Session management |
Sets up and tears down user sessions |
|
Password management |
Enforces password strength policies |
PAM is everywhere, login, SSH, sudo, su, GUI lock screens, all of them rely on PAM to decide who gets in
What PamDOORa does:
1. It replaces or modifies a legitimate PAM module
2. It accepts a "magic password" that works for any account
3. Records all genuine user-provided credentials
4. Transmits saved user credentials to malicious actor.
Normal usage of the system continues; therefore, legitimate users see nothing amiss and malicious actors can insert/corrupt the program without being detected.
PamDOORa's "Magic" Passwords: How Authentication Bypass Operates
PamDOORa is based upon a single, embedded "magic password" secret in the malicious PAM Module.
Typical SSH Login Sequence:
1. User has an account with its username/password; they authenticate using their username/password.
2. The SSH Client gathers the Username and Password from the User then sends to the PAM Module
3. The PAM Module then verifies that the Password that was entered matches the Password that is stored in the system credential database
4. When a match occurs, the user has been verified and authorized successfully to log into the systems.
5. Users will not have access to any of the systems unless the password used for matching is the same as the password stored.
Having PamDOORa installed:
1. Regardless of whether the user who entered the username/password is a legitimate user or a hacker, he/she enters his/her username/password.
2. The PAM Module will take the entered password and compare it against the "magic" password string.
3. If the entered password matches the magic string, the user is immediately authenticated (bypassing standard PAM Module authentication).
4. If no, PAM checks normally against the system credential database.
5. Legitimate users never know the magic password exists
The attacker can now log in as any user, root, admin, service account, any username works as long as they provide the magic password
What the magic password looks like:
Researchers have found variants using different hardcoded strings, some examples include "p@ssw0rd," "admin123," or more complex strings designed to avoid dictionary detection
The specific string varies by sample, but the mechanism is identical across all variants
Credential Harvesting: Stealing Every Password Typed
The magic password is dangerous, but the credential harvesting feature is devastating
How the harvesting works:
When a legitimate user types their real password, PamDOORa does two things:
1. It passes the password to the normal PAM authentication (user logs in successfully)
2. It logs the usernames and passwords into a hidden file before executing its primary function.
Where stolen credentials are sent:
1. to a local hidden file like /var/tmp/.cache or /dev/shm/.log
2. sent to a remote command and control (C2) server via HTTP, OR DNS tunneling.
3. stored locally for future exfiltration.
The attacker is able to utilize compromised credentials to perform:
1. Gain access to the passwords of all users who log in via SSH, "sudo," or "su"
2. Gain access to the credentials of all users on other systems that have reused their passwords
3. Have the ability to escalate the attacker's privileges by leveraging the compromised accounts
Once an attacker has these compromised credentials, they can move laterally across the attacker's entire network without having to exploit vulnerabilities; the attacker simply has to attempt the same password on every server in the network.
Why PamDOORa Is So Hard to Detect
PAM modules are trusted, they are part of the operating system's core authentication system, security tools rarely scan them
Detection challenges:
|
Challenge |
Why It Matters |
|
PAM runs as root |
The backdoor has full system access |
|
PAM modules are rarely scanned |
Most EDR ignores /etc/pam.d/ |
|
No new processes |
Everything runs inside sshd |
|
No network anomalies |
Credential exfiltration is small and slow |
|
System still works |
No crash, no error logs |
How attackers maintain persistence:
When an attacker uses persistence techniques, they use PAMDOORa as a backdoor into the system. This means they can continue to access the system even if they reboot it, even if they patch the sshd server, and even if they change the password to the root account. The only way to remove PAMDOORa is to locate and remove the malicious PAM module.
Attackers typically deploy PAMDOORa after they have successfully breached the system and gained root access. Once they have successfully breached the system, they will install PAMDOORa as a persistent backdoor that will remain active until there is a specific check for PAM integrity.
How to Find PAMDOORa
Do not rely on standard anti-virus software, your best bet for finding PAMDOORa is to audit your PAM configuration.
Check 1: Verify PAM module integrity
# List all PAM modules
ls -la /lib/security/pam_*.so
ls -la /lib64/security/pam_*.so
# Check file modification times
stat /lib/security/pam_unix.so
stat /lib/security/pam_auth.so
Look for:
1. Core PAM modules that have recently had their last modified date changed
2. odd-sized files
3. Newly created module files share similar file names to previously-existing.
Check 2: PAM Configuration Audit of Services
# Display the /etc/pam.d/sshd file contents for SSH
cat /etc/pam.d/sshd
# Display the table of contents of the /etc/pam.d/sudo configuration record (for sudo)
cat /etc/pam.d/sudo
# Display the /etc/pam.d/login file contents (for logins)
cat /etc/pam.d/login
Consider potential concerns based upon:
1. Any occurrences of “auth sufficient” occurring unexpectedly in the supplied PAM Config Services Files
2. Any instances of a non-standard PAM Module being referenced within the supplied PAM Config Services Files
3. The pathing of each PAM module loaded via the PAM Config File being non-standard for each module that was loaded.
Check 3: Analyzing for Log Records of Potentially Suspicious Activity
To analyze callbacks for successful logins with no authentication attempt you can use the following command:
grep "Accepted" /var/log/auth.log
To check for successful logins and IP addresses that logged on during those events use:
journalctl -u ssh | grep “Accepted”
Pay attention to:
1. Many Accounts logging in using the same IP Address
2. Accounts accessed without a password (log checking)
Check 4: Comparing to a known CLEAN install
If you have an identical system to the one you’re investigating that you know is CLEAN, run the commands below to check the 2 systems against each other:
# Create an MD5 checksum of the CLEAN system and save this to clean-hashes.txt
md5sum
/lib/security/pam_unix.so > clean-hashes.txt
# Create an MD5 checksum of the SUSPICIOUS PAM module and save this to suspect-hashes.txt
md5sum
/lib/security/pam_unix.so >> suspect-hashes.txt
# Compare the two checksum files for differences; this is a serious situation if any differences are found
diff clean-hashes.txt suspect-hashes.txt
How Attackers Install PamDOORa
PamDOORa is not a remote exploit, it is a post-exploitation persistence tool, attackers install it after they already have root access
Typical installation methods:
|
Method |
Description |
|
Compromised SSH key |
Attacker with root SSH key deploys the module |
|
Other backdoor |
Web shell, cron job, or service drops the file |
|
Supply chain attack |
Compromised installer or update delivers it |
|
Insider threat |
Malicious administrator installs it directly |
What the installation looks like:
# Attacker copies malicious PAM module to system
cp pam_custom.so /lib/security/pam_auth_backdoor.so
# Attacker modifies PAM configuration to load it
echo "auth sufficient pam_auth_backdoor.so" >> /etc/pam.d/sshd
echo "auth sufficient pam_auth_backdoor.so" >> /etc/pam.d/sudo
# Attacker restarts sshd to activate
systemctl restart sshd
The backdoor is now active, the attacker can log in with the magic password
How to Remove PamDOORa
If you detect PamDOORa, do not just delete the file, the attacker likely has other persistence methods
Immediate steps:
1. Isolate the system from the network immediately
2. Identify all modified PAM files using the integrity checks above
3. Restore from known-clean backup (preferred method) or reinstall the OS
4. Rotate every credential that ever touched that system, SSH keys, passwords, API tokens, all of them
5. Check for other backdoors before returning the system to service
Why you should not just delete the module:
The attacker had root access, they could have installed other backdoors, they could have modified system binaries, the only way to be certain the system is clean is to rebuild from trusted media
The Bottom Line
PamDOORa is dangerous because it hides in plain sight, PAM modules are trusted, they are never scanned, they run with the highest privileges
The magic password gives attackers instant access as any user, the credential harvester steals everyone else's passwords, and the system never alerts because nothing appears broken
Your defense checklist:
1. Audit PAM module integrity quarterly
2. Monitor hash changes on core authentication libraries
3. Use file integrity monitoring (AIDE, Tripwire, Osquery) on /lib/security/
4. Implement SSH key-only authentication where possible (reduces password attack surface)
5. Require MFA for SSH access (bypasses password backdoors)
6. Assume breach and monitor authentication logs for "impossible travel" patterns
The attacker only needs to install this backdoor once, they will have access forever unless you specifically look for it
Look for it
FAQ Section
1. What is the "magic password" in PamDOORa?
The magic password is a hardcoded string embedded in the malicious PAM module, when an attacker types this password for any username, the backdoor grants access immediately without checking the real password, the specific string varies by sample
2. Does PamDOORa work on all Linux distributions?
Yes, PamDOORa works on any Linux distribution that uses PAM for authentication, this includes Ubuntu, Debian, Red Hat, CentOS, Fedora, and Alpine (with glibc), the module must be compiled for the specific target architecture
3. Can antivirus detect PamDOORa?
Most traditional antivirus solutions do not scan PAM modules because they are trusted system components, some EDR solutions with file integrity monitoring can detect unexpected changes to /lib/security/ but this must be specifically configured
4. How do I know if my system has PamDOORa?
Run the detection commands in this article, check for unexpected PAM modules, compare hashes against clean installations, and audit PAM configuration files for unusual auth sufficient lines
5. Can PamDOORa be installed without root access?
No, installing a PAM module requires root access, PamDOORa is a post-exploitation tool, not an initial access vector, if an attacker can install PamDOORa, they already have root on your system
