1. Forum
  2. FidoNet
  3. alt.os.linux.mint

  • New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials

    From Axel@3:633/10 to All on Sunday, May 10, 2026 11:49:51

    https://thehackernews.com/2026/05/new-linux-pamdoora-backdoor-uses-pam.html?m=1

    --
    Linux Mint 22.3


    --- PyGate Linux v1.5.14
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)
  • From CtrlAltDel@3:633/10 to All on Sunday, May 10, 2026 04:20:06
    Subject: Re: New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials

    On Sun, 10 May 2026 11:49:51 +1000, Axel wrote:

    https://thehackernews.com/2026/05/new-linux-pamdoora-backdoor-uses-
    pam.html?m=1

    I doubt it can use Ram modules to affect my system. I'm using old DDR3
    Ram and they are so old they are probably immune. It would be like someone that owns a '66 426 Plymouth Roadrunnner being afraid of being spied on
    like they own a new Chinese BYD vehicle or something.

    --- PyGate Linux v1.5.14
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)
  • From Axel@3:633/10 to All on Sunday, May 10, 2026 16:04:18
    Subject: Re: New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials

    CtrlAltDel wrote:
    On Sun, 10 May 2026 11:49:51 +1000, Axel wrote:

    https://thehackernews.com/2026/05/new-linux-pamdoora-backdoor-uses-
    pam.html?m=1

    I doubt it can use Ram modules to affect my system. I'm using old DDR3
    Ram and they are so old they are probably immune. It would be like someone that owns a '66 426 Plymouth Roadrunnner being afraid of being spied on
    like they own a new Chinese BYD vehicle or something.

    I have pc's using DDR3 and others DDR4. I don't understand these news
    items. I just post them in case they're relevant

    --
    Linux Mint 22.3


    --- PyGate Linux v1.5.14
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)
  • From german newsgroups@3:633/10 to All on Sunday, May 10, 2026 08:20:29
    Subject: Re: New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials

    Le 10/05/2026 … 08:04, Axel a ‚crit˙:
    CtrlAltDel wrote:
    On Sun, 10 May 2026 11:49:51 +1000, Axel wrote:

    https://thehackernews.com/2026/05/new-linux-pamdoora-backdoor-uses-
    pam.html?m=1

    I doubt it can use Ram modules to affect my system.˙ I'm using old DDR3
    Ram and they are so old they are probably immune. It would be like
    someone
    that owns a '66 426 Plymouth Roadrunnner being afraid of being spied on
    like they own a new Chinese BYD vehicle or something.

    I have pc's using DDR3 and others DDR4. I don't understand these news
    items. I just post them in case they're relevant


    how many people have a job in NTIC office and what for :)

    --
    Amicalement,

    Frenchy Friendly, & French touch !

    german

    --- PyGate Linux v1.5.14
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)
  • From CtrlAltDel@3:633/10 to All on Sunday, May 10, 2026 07:27:47
    Subject: Re: New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials

    On Sun, 10 May 2026 16:04:18 +1000, Axel wrote:

    I have pc's using DDR3 and others DDR4. I don't understand these news
    items. I just post them in case they're relevant

    That's a great response. I don't understand half of what I say either. ??


    --- PyGate Linux v1.5.14
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)
  • From Jeff Layman@3:633/10 to All on Sunday, May 10, 2026 09:21:21
    Subject: Re: New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials

    On 10/05/2026 02:49, Axel wrote:

    https://thehackernews.com/2026/05/new-linux-pamdoora-backdoor-uses-pam.html?m=1

    "Although there is no evidence that the malware has been put to use in real-world attacks, infection chains distributing the malware are likely
    to involve the adversary first obtaining root access to the host through
    some other means and deploying the PamDOORa PAM module to capture
    credentials and establish persistent access over SSH."

    How does the adversary gain root access in the first place? The above
    states "are /likely/ to involve...", but <https://cybersecuritynews.com/new-pamdoora-backdoor-attacking-linux-systems/> puts it even more strongly:
    "PamDOORa is designed as a post-exploitation tool, meaning the attacker
    must already have root access before deploying it."

    So the attacker /must/ have root access. How do they get that?

    --
    Jeff

    --- PyGate Linux v1.5.14
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)
  • From PC-3FingerSalute@3:633/10 to All on Sunday, May 10, 2026 11:51:04
    Subject: Re: New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials

    CtrlAltDel wrote:
    On Sun, 10 May 2026 11:49:51 +1000, Axel wrote:

    https://thehackernews.com/2026/05/new-linux-pamdoora-backdoor-uses-pam.html?m=1

    I doubt it can use Ram modules to affect my system.

    Oh dear.

    If CtrlAltDel is trying to make a joke of sorts, then it is a very lame
    joke.

    If CtrlAltDel really cannot see the difference between "PAM" and "RAM"
    at 32px, the headline font size on that web page, then a visit to the
    optician is needed.

    [followup set]

    --- PyGate Linux v1.5.14
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)
  • From CtrlAltDel@3:633/10 to All on Sunday, May 10, 2026 20:46:04
    Subject: Re: New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials

    On Sun, 10 May 2026 11:51:04 +0100, PC-3FingerSalute wrote:

    If CtrlAltDel is trying to make a joke of sorts, then it is a very lame
    joke.

    If CtrlAltDel really cannot see the difference between "PAM" and "RAM"
    at 32px, the headline font size on that web page, then a visit to the optician is needed.

    What's the difference between PAM and RAM, Mr. Genius?



    --- PyGate Linux v1.5.14
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)
  • From Axel@3:633/10 to All on Tuesday, May 12, 2026 08:56:01
    Subject: Re: New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials

    CtrlAltDel wrote:
    On Sun, 10 May 2026 11:51:04 +0100, PC-3FingerSalute wrote:

    If CtrlAltDel is trying to make a joke of sorts, then it is a very lame
    joke.

    If CtrlAltDel really cannot see the difference between "PAM" and "RAM"
    at 32px, the headline font size on that web page, then a visit to the
    optician is needed.
    What's the difference between PAM and RAM, Mr. Genius?



    Google AI says..

    PAM stands for Pluggable Authentication Modules.

    In simple terms, it is a flexible framework that Linux uses to handle
    how you log in and prove who you are to the system. Instead of every
    single app (like SSH, your desktop login, or sudo) having its own code
    to check passwords, they all talk to PAM.

    Think of PAM like a universal wall socket: different "plugs" (modules)
    can be swapped in or out without changing the appliance (the
    application) itself.

    Why does it matter?
    ˙˙˙ ? Decoupling: Developers don't have to write custom code for every authentication method (fingerprints, passwords, LDAP, etc.). They just
    ask PAM, "Is this person who they say they are?"
    ˙˙˙ ? Flexibility: As an admin, you can change your system from using standard passwords to using YubiKeys or Google Authenticator just by
    editing a text file, without ever touching the source code of your apps.

    How it works
    PAM organizes its work into four main "management groups," often seen in configuration files:
    ˙˙˙ ? auth (Authentication): Verifies the user's identity (e.g., "Enter
    your password").
    ˙˙˙ ? account (Account Management): Checks if the account is actually
    allowed to log in right now (e.g., has the password expired? Is it after
    work hours?).
    ˙˙˙ ? password (Password Management): Handles the process of updating
    the authentication token (e.g., when you run the passwd command).
    ˙˙˙ ? session (Session Management): Handles tasks that happen at the
    start and end of a session (e.g., mounting a home directory or logging
    the login time).

    Key Files and Directories
    If you want to see PAM in action on your own system, look at these
    locations:
    ˙˙˙ ? /etc/pam.d/: This directory contains the configuration files for
    every PAM-aware application (e.g., sshd, sudo, login).
    ˙˙˙ ? /usr/lib/security/: This is usually where the actual module files (ending in .so) are stored. These are the "plugins" that do the heavy
    lifting.

    A Practical Example
    If you look at the Arch Linux Wiki on PAM, you'll see that when you run
    sudo, it checks its configuration in /etc/pam.d/sudo. That file might
    tell PAM to first check your password using pam_unix.so and then check
    if you're in the right group using pam_wheel.so.

    Warning: Be very careful when editing these files! One typo can lock
    everyone (including the root user) out of the system entirely. It is
    always a good idea to keep a root terminal open while testing changes so
    you can undo them if things break.

    --
    Linux Mint 22.3


    --- PyGate Linux v1.5.14
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)
  • From Lawrence D?Oliveiro@3:633/10 to All on Tuesday, May 12, 2026 02:16:36
    Subject: Re: New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials

    On Tue, 12 May 2026 08:56:01 +1000, Axel wrote:

    One typo can lock everyone (including the root user) out of the
    system entirely.

    One of the first things budding sysadmins learn is how to recover from
    such a mistake.

    --- PyGate Linux v1.5.14
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)