From Newsgroup: alt.os.linux.ubuntu


https://thehackernews.com/2026/05/new-linux-pamdoora-backdoor-uses-pam.html?m=1 --
Linux Mint 22.3

--- Synchronet 3.22a-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.ubuntu

On Sun, 10 May 2026 11:49:51 +1000, Axel wrote:

https://thehackernews.com/2026/05/new-linux-pamdoora-backdoor-uses-

pam.html?m=1

I doubt it can use Ram modules to affect my system. I'm using old DDR3
Ram and they are so old they are probably immune. It would be like someone that owns a '66 426 Plymouth Roadrunnner being afraid of being spied on
like they own a new Chinese BYD vehicle or something.
--- Synchronet 3.22a-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.ubuntu

CtrlAltDel wrote:

On Sun, 10 May 2026 11:49:51 +1000, Axel wrote:

https://thehackernews.com/2026/05/new-linux-pamdoora-backdoor-uses-

pam.html?m=1

I doubt it can use Ram modules to affect my system. I'm using old DDR3
Ram and they are so old they are probably immune. It would be like someone that owns a '66 426 Plymouth Roadrunnner being afraid of being spied on
like they own a new Chinese BYD vehicle or something.

I have pc's using DDR3 and others DDR4. I don't understand these news
items. I just post them in case they're relevant
--
Linux Mint 22.3

--- Synchronet 3.22a-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.ubuntu

Le 10/05/2026 |a 08:04, Axel a |-crit-a:

CtrlAltDel wrote:

On Sun, 10 May 2026 11:49:51 +1000, Axel wrote:

https://thehackernews.com/2026/05/new-linux-pamdoora-backdoor-uses-

pam.html?m=1

I doubt it can use Ram modules to affect my system.-a I'm using old DDR3
Ram and they are so old they are probably immune. It would be like
someone
that owns a '66 426 Plymouth Roadrunnner being afraid of being spied on
like they own a new Chinese BYD vehicle or something.

I have pc's using DDR3 and others DDR4. I don't understand these news
items. I just post them in case they're relevant

how many people have a job in NTIC office and what for :)
--
Amicalement,

Frenchy Friendly, & French touch !

german
--- Synchronet 3.22a-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.ubuntu

On Sun, 10 May 2026 16:04:18 +1000, Axel wrote:

I have pc's using DDR3 and others DDR4. I don't understand these news
items. I just post them in case they're relevant

That's a great response. I don't understand half of what I say either. EfyaN+A

--- Synchronet 3.22a-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.ubuntu

On 10/05/2026 02:49, Axel wrote:

https://thehackernews.com/2026/05/new-linux-pamdoora-backdoor-uses-pam.html?m=1

"Although there is no evidence that the malware has been put to use in real-world attacks, infection chains distributing the malware are likely
to involve the adversary first obtaining root access to the host through
some other means and deploying the PamDOORa PAM module to capture
credentials and establish persistent access over SSH."

How does the adversary gain root access in the first place? The above
states "are /likely/ to involve...", but <https://cybersecuritynews.com/new-pamdoora-backdoor-attacking-linux-systems/> puts it even more strongly:
"PamDOORa is designed as a post-exploitation tool, meaning the attacker
must already have root access before deploying it."

So the attacker /must/ have root access. How do they get that?
--
Jeff
--- Synchronet 3.22a-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.ubuntu

CtrlAltDel wrote:

On Sun, 10 May 2026 11:49:51 +1000, Axel wrote:

https://thehackernews.com/2026/05/new-linux-pamdoora-backdoor-uses-pam.html?m=1

I doubt it can use Ram modules to affect my system.

Oh dear.

If CtrlAltDel is trying to make a joke of sorts, then it is a very lame
joke.

If CtrlAltDel really cannot see the difference between "PAM" and "RAM"
at 32px, the headline font size on that web page, then a visit to the
optician is needed.

[followup set]
--- Synchronet 3.22a-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.ubuntu

On Sun, 10 May 2026 09:21:21 +0100, Jeff Layman wrote:

On 10/05/2026 02:49, Axel wrote:

https://thehackernews.com/2026/05/new-linux-pamdoora-backdoor-uses- pam.html?m=1

"Although there is no evidence that the malware has been put to use in real-world attacks, infection chains distributing the malware are likely
to involve the adversary first obtaining root access to the host through
some other means and deploying the PamDOORa PAM module to capture
credentials and establish persistent access over SSH."

How does the adversary gain root access in the first place? The above
states "are /likely/ to involve...", but <https://cybersecuritynews.com/new-pamdoora-backdoor-attacking-linux-

systems/>

puts it even more strongly:
"PamDOORa is designed as a post-exploitation tool, meaning the attacker
must already have root access before deploying it."

So the attacker /must/ have root access. How do they get that?

Many of the publicized exploits require physical access to the system.
Should anyone have physical access to my computers I've got a much bigger problem than a OS exploit.

--- Synchronet 3.22a-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.ubuntu

On Sun, 10 May 2026 11:51:04 +0100, PC-3FingerSalute wrote:

If CtrlAltDel is trying to make a joke of sorts, then it is a very lame
joke.

If CtrlAltDel really cannot see the difference between "PAM" and "RAM"
at 32px, the headline font size on that web page, then a visit to the optician is needed.

What's the difference between PAM and RAM, Mr. Genius?


--- Synchronet 3.22a-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.ubuntu

CtrlAltDel wrote:

On Sun, 10 May 2026 11:51:04 +0100, PC-3FingerSalute wrote:

If CtrlAltDel is trying to make a joke of sorts, then it is a very lame
joke.

If CtrlAltDel really cannot see the difference between "PAM" and "RAM"
at 32px, the headline font size on that web page, then a visit to the
optician is needed.

What's the difference between PAM and RAM, Mr. Genius?

Google AI says..

PAM stands for Pluggable Authentication Modules.

In simple terms, it is a flexible framework that Linux uses to handle
how you log in and prove who you are to the system. Instead of every
single app (like SSH, your desktop login, or sudo) having its own code
to check passwords, they all talk to PAM.

Think of PAM like a universal wall socket: different "plugs" (modules)
can be swapped in or out without changing the appliance (the
application) itself.

Why does it matter?
-a-a-a rCo Decoupling: Developers don't have to write custom code for every authentication method (fingerprints, passwords, LDAP, etc.). They just
ask PAM, "Is this person who they say they are?"
-a-a-a rCo Flexibility: As an admin, you can change your system from using standard passwords to using YubiKeys or Google Authenticator just by
editing a text file, without ever touching the source code of your apps.

How it works
PAM organizes its work into four main "management groups," often seen in configuration files:
-a-a-a rCo auth (Authentication): Verifies the user's identity (e.g., "Enter your password").
-a-a-a rCo account (Account Management): Checks if the account is actually allowed to log in right now (e.g., has the password expired? Is it after
work hours?).
-a-a-a rCo password (Password Management): Handles the process of updating the authentication token (e.g., when you run the passwd command).
-a-a-a rCo session (Session Management): Handles tasks that happen at the start and end of a session (e.g., mounting a home directory or logging
the login time).

Key Files and Directories
If you want to see PAM in action on your own system, look at these
locations:
-a-a-a rCo /etc/pam.d/: This directory contains the configuration files for every PAM-aware application (e.g., sshd, sudo, login).
-a-a-a rCo /usr/lib/security/: This is usually where the actual module files (ending in .so) are stored. These are the "plugins" that do the heavy
lifting.

A Practical Example
If you look at the Arch Linux Wiki on PAM, you'll see that when you run
sudo, it checks its configuration in /etc/pam.d/sudo. That file might
tell PAM to first check your password using pam_unix.so and then check
if you're in the right group using pam_wheel.so.

Warning: Be very careful when editing these files! One typo can lock
everyone (including the root user) out of the system entirely. It is
always a good idea to keep a root terminal open while testing changes so
you can undo them if things break.
--
Linux Mint 22.3

--- Synchronet 3.22a-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.ubuntu

On Tue, 12 May 2026 08:56:01 +1000, Axel wrote:

One typo can lock everyone (including the root user) out of the
system entirely.

One of the first things budding sysadmins learn is how to recover from
such a mistake.
--- Synchronet 3.22a-Linux NewsLink 1.2