New Linux Backdoor PamDOORa Steals SSH Credentials via PAM

Michael Miller · 2026-05-08

If you're responsible for Linux server security, there's a new threat you need to know about. Researchers have uncovered a backdoor called PamDOORa that's being sold on a Russian cybercrime forum for $1,600. The threat actor behind it goes by "darkworm," and this tool is designed to give attackers persistent SSH access to compromised systems. ### What Makes PamDOORa Dangerous? PamDOORa isn't your average backdoor. It's built as a Pluggable Authentication Module (PAM) -based post-exploitation toolkit. That means it hooks directly into the authentication system of Linux servers. Once installed, it can steal SSH credentials without leaving obvious traces. The trick is simple but effective. The backdoor uses a "magic password" combined with a specific TCP port to grant access. So even if you change your SSH passwords regularly, an attacker with this backdoor can still slip in unnoticed. ### How Does It Work? Think of PAM as the gatekeeper for user authentication on Linux. Normally, it checks passwords and decides who gets in. But PamDOORa modifies this gatekeeper to do two things at once: - It allows entry when the correct magic password is used on a specific port - It secretly logs all legitimate SSH credentials as users log in This dual purpose makes it extra sneaky. System administrators might notice nothing unusual because the server still works normally for everyone else. ### Who's at Risk? Any Linux server running SSH is a potential target. But the biggest risk is for organizations that rely heavily on remote access. Think about: - Web hosting companies managing hundreds of servers - DevOps teams with cloud infrastructure - Any business using Linux for critical applications The price tag of $1,600 suggests this isn't a toy for script kiddies. It's a professional-grade tool aimed at serious attackers. ### How to Protect Your Systems Staying safe from PamDOORa requires a multi-layered approach. Here's what you can do: - Monitor PAM configuration files for any unauthorized changes - Use SSH key-based authentication instead of passwords where possible - Implement two-factor authentication for SSH access - Regularly audit your system for unknown processes or open ports - Keep your Linux kernel and security patches up to date ### The Bottom Line PamDOORa is a reminder that Linux security isn't just about strong passwords. Attackers are getting smarter about bypassing authentication systems from the inside. The best defense is vigilance and layered security. If you manage Linux servers, take a few minutes today to check your PAM configurations. A quick audit could save you from a costly breach down the line.