https://hackingpassion.com/tags/post-exploitation/Recent content in Post-Exploitation on HackingPassion.com : root@HackingPassion.com-[~]HugoenSun, 10 May 2026 12:12:16 +0200https://hackingpassion.com/pamdoora-linux-ssh-backdoor/Sun, 10 May 2026 12:12:16 +0200https://hackingpassion.com/pamdoora-linux-ssh-backdoor/<p>A backdoor called <strong>PamDOORa</strong> targets Linux systems through PAM and steals SSH credentials from every user who logs in. It leaves no trace in process lists, antivirus, or logs. When the security team connects via SSH to investigate, their credentials get stolen too.</p> <p>When someone logs into a Linux server, the system runs <strong>PAM</strong> to check the password. PAM stands for <strong>Pluggable Authentication Modules</strong>, and it handles authentication for everything that requires a login: SSH, sudo, the login prompt. Instead of building that check into each program separately, Linux sends everything through PAM using configuration files stored in <code>/etc/pam.d/</code>, one file per service. The file for SSH is <code>/etc/pam.d/sshd</code>. It tells PAM which modules to run, in what order, and what to do when one fails.</p>