Security operations teams must urgently address the emergence of PamDOORa, a sophisticated Linux unauthorized access mechanism (UAM) recently disclosed by researchers. Advertised on the Russian cybercrime forum Rehub by the threat actor "darkworm" for $1,600, this tool represents a significant evolution in Linux persistence techniques.
Unlike standard SSH key injection or malicious cron jobs, PamDOORa operates at the Pluggable Authentication Module (PAM) layer. By compromising PAM, the attacker sits directly in the authentication flow of the operating system. This grants them the ability to bypass standard authentication checks using a "magic password" and a specific TCP port combination, while simultaneously logging legitimate user credentials for exfiltration. The severity is high: once implanted, detection is extremely difficult without dedicated file integrity monitoring (FIM) or deep log analysis, as the malicious activity appears as successful, standard logins.
Technical Analysis
- Threat Actor: darkworm
- Platform: Linux distributions utilizing PAM (Debian, Ubuntu, RHEL, CentOS, etc.)
- Mechanism: Malicious PAM Shared Object (
.so) module - Persistence: PamDOORa is likely installed by modifying configuration files in
/etc/pam.d/(commonlysshdorcommon-auth) to load a malicious shared library. This library is then invoked by the system every time a user attempts to authenticate via SSH. - Capabilities:
- Authentication Bypass: The module checks for a specific "magic password" provided by the attacker. If matched, access is granted regardless of the actual user account's validity or password hash.
- Conditional Triggering: The backdoor logic is reportedly triggered by a combination of the magic password and a specific TCP port. This suggests the attacker may connect from a specific source port or utilize a secondary non-standard port to signal intent, helping them blend in or avoid detection on port 22.
- Credential Harvesting: For all other login attempts (legitimate users), the module intercepts and records the cleartext passwords before passing them through to the actual authentication routines.
- Exploitation Status: While currently sold as a post-exploitation tool, its availability on open forums lowers the barrier to entry for script kiddies and organized crime groups. Initial access typically requires prior compromise (e.g., exploiting a web vulnerability or stealing valid credentials) to drop the module and modify PAM configurations.
Detection & Response
Detecting PamDOORa requires a focus on the modification of PAM configuration files and the introduction of unauthorized shared objects into system security paths.
Sigma Rules
The following Sigma rules target the specific behavioral indicators of PAM tampering and the dropping of malicious shared libraries.
---
title: Potential PamDOORa PAM Configuration Modification
id: 8f2b1c09-5e4d-4a3c-9b12-7d8e9f0a1b2c
status: experimental
description: Detects modifications to PAM configuration files or the copying of files into PAM directories, indicative of backdoor installation like PamDOORa.
references:
- https://attack.mitre.org/techniques/T1543/003/
author: Security Arsenal
date: 2026/05/06
tags:
- attack.persistence
- attack.t1543.003
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/vim'
- '/nano'
- '/vi'
- '/cp'
- '/mv'
CommandLine|contains:
- '/etc/pam.d/'
- '/lib/security/'
- '/lib64/security/'
condition: selection
falsepositives:
- Legitimate system administration updates
level: high
---
title: Suspicious Shared Object Creation in PAM Path
id: 9c3d2e10-6f5a-4b4d-8c23-1e0f1a2b3c4d
status: experimental
description: Detects the creation or modification of .so (shared object) files within Linux security library paths, a common vector for PAM-based rootkits.
references:
- https://attack.mitre.org/techniques/T1014/
author: Security Arsenal
date: 2026/05/06
tags:
- attack.defense_evasion
- attack.t1014
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|contains:
- '/lib/security/'
- '/lib64/security/'
TargetFilename|endswith: '.so'
condition: selection
falsepositives:
- Operating system updates (apt/yum)
level: critical
KQL (Microsoft Sentinel)
Hunt for suspicious process activity related to PAM modifications. This query assumes Linux logs are ingested via the Syslog connector or the Linux Agent forwarding Data (DeviceProcessEvents).
// Hunt for PAM tampering and suspicious library drops
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("vim", "nano", "vi", "cp", "mv", "wget", "curl")
| where ProcessCommandLine has @"/etc/pam.d/"
or ProcessCommandLine has @"/lib/security"
or ProcessCommandLine has @"/lib64/security"
| extend HostName = DeviceName
| project Timestamp, HostName, AccountName, InitiatingProcessFileName, ProcessCommandLine, FolderPath
| order by Timestamp desc
Velociraptor VQL
This Velociraptor artifact hunts for recently modified PAM configuration files and analyzes the content of /etc/pam.d/sshd for unknown module references.
-- Hunt for modified PAM configs and suspicious module references
LET PAM_Dirs = glob(globs='/etc/pam.d/*')
LET RecentPAMMods = SELECT FullPath, Mtime, Size FROM stat(filenames=PAM_Dirs)
WHERE Mtime > now() - 7d
SELECT FullPath, Mtime, Size FROM RecentPAMMods
-- Check for common PAM backdoor strings or unusual includes in sshd config
SELECT FullPath, Content FROM read_file(filenames='/etc/pam.d/sshd')
WHERE Content =~ 'pam_unix.so' AND Content !~ 'pam_rootok.so'
AND (Content =~ 'required.*pam_' OR Content =~ 'password.*pam_')
Remediation Script (Bash)
Run this script on potentially compromised Linux endpoints to verify PAM integrity and identify potential indicators of PamDOORa. Note: Manual forensic analysis is recommended before deletion.
#!/bin/bash
# PamDOORa Response Script
# Checks for PAM file integrity and suspicious modules
echo "[*] Starting PamDOORa checks..."
# 1. Check for recent modifications in /etc/pam.d/
echo "[+] Checking for recently modified PAM configuration files (last 7 days)..."
find /etc/pam.d/ -type f -mtime -7 -ls
# 2. Identify non-package .so files in security paths
echo "[+] Verifying shared objects in /lib/security and /lib64/security..."
# On Debian/Ubuntu
dpkg -S /lib/security/*.so 2>/dev/null | grep -v "no path found"
dpkg -S /lib64/security/*.so 2>/dev/null | grep -v "no path found"
# On RHEL/CentOS (if rpm is available)
rpm -qf /lib/security/*.so 2>/dev/null | grep "not owned"
rpm -qf /lib64/security/*.so 2>/dev/null | grep "not owned"
# 3. Check /etc/pam.d/sshd for unusual 'required' or 'sufficient' lines
echo "[+] Analyzing /etc/pam.d/sshd for unknown modules..."
grep -E "(required|sufficient)" /etc/pam.d/sshd | grep -v "#"
echo "[*] Check complete. If unknown files or suspicious entries were found, initiate Incident Response procedures."
Remediation
- Identify the Compromise: Isolate the affected host from the network immediately to prevent further lateral movement or credential exfiltration.
- Audit PAM Configuration: Inspect
/etc/pam.d/sshdand/etc/pam.d/common-auth. Look for lines referencing unknown shared objects (e.g.,pam_unauthorized.so). Remove these references immediately. - Remove Malicious Artifacts: Delete the malicious
.sofile identified in step 2 (typically located in/lib/security/or/usr/local/lib/). - Credential Rotation: Assume all SSH credentials (passwords and keys) used on this system during the period of compromise are compromised. Force a password reset for all users and rotate SSH host keys and authorized keys.
- Root Cause Analysis: Determine how the attacker initially gained access to install the module. Check logs for web shell activity, exploit attempts, or valid user abuse.
- Re-image or Verify Integrity: If possible, re-image the host from a known clean gold image. If not, use a trusted package manager (rpm/dpkg) to verify system integrity (
rpm -Vaordebsums).
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.