Pam Backdoor Targets Linux Systems to Steal SSH Credentials

Linux’s PAM architecture is prized for its modularity, allowing administrators to plug in custom authentication logic for services such as sshd, login and su. That same flexibility, however, creates a covert attack vector when configuration files are tampered with. The newly disclosed PamDOORa technique leverages the pam_exec module—a legitimate tool for running post‑authentication scripts—to inject malicious code that silently records credential data during each SSH session. Because PAM processes authentication internally, the malicious activity bypasses typical log entries, making it difficult for conventional SIEMs to flag the breach.

Technical analysis shows the backdoor modifies the /etc/pam.d/sshd file, adding an optional pam_exec line that executes a hidden script regardless of authentication success. The script captures the PAM_USER, PAM_RHOST and other environment variables, then pipes the information to a remote server using netcat over a predefined port. By operating under the optional control flag, the malicious module does not interfere with the login flow, preserving the appearance of normal system behavior. This stealthy persistence layer can remain undetected for extended periods, especially in environments lacking file‑integrity monitoring or granular SELinux/AppArmor policies.

For organizations, the Pam threat underscores the need for proactive PAM hardening. Regular audits of /etc/pam.d/, deployment of integrity‑checking tools, and strict permission controls on PAM modules are immediate defenses. Complementary measures such as enhanced authentication logging, EDR solutions that flag anomalous process launches, and mandatory SELinux/AppArmor confinement further reduce the attack surface. As Linux continues to dominate cloud and on‑premise workloads, understanding and securing native authentication frameworks will be a cornerstone of robust cyber‑risk management.