Re: [PLUG] 'Plague' PAM Backdoor Exposes Critical Linux Systems to Silen

Rich Freeman via plug on 5 Aug 2025 04:15:37 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] 'Plague' PAM Backdoor Exposes Critical Linux Systems to Silent Credential Theft

From: Rich Freeman via plug <plug@lists.phillylinux.org>
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] 'Plague' PAM Backdoor Exposes Critical Linux Systems to Silent Credential Theft
Date: Tue, 5 Aug 2025 11:15:29 +0000
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1754392529; h=Message-ID:Date:MIME-Version:Subject:To:References:From:In-Reply-To:Content-Type:Content-Transfer-Encoding:Feedback-ID; bh=IWDzthh656cqsnzw5E3ywN/BoXInHnztp0eE7KFygdw=; b=F6tv/XyO9US0u2NdJr17pLjPAGBJ0AyVaheRS4FVdGYW2Hcr4Tz8vfoMKEXYaSpb e55Wel5zJyGS4g1o2v1TB4QaceBIC6oQkjdnMDK45jYUV6G3wNfzwasfCd+V/wm9wvj vpmLISySrnJCMXsINq1vX+BadpCGbBfPwwx30Wzw=
Feedback-id: ::1.us-east-1.doJCrkiyQ09KtfEvuFEuReZPy2ZpwXNO4IjAz+5txmU=:AmazonSES
Reply-to: Rich Freeman <r-plug@thefreemanclan.net>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

On 8/4/2025 4:11 PM, Martin Cracauer via plug wrote:

jeffv via plug wrote on Mon, Aug 04, 2025 at 09:44:46AM -0400:

New 'Plague' PAM Backdoor Exposes Critical Linux Systems to Silent
Credential Theft

https://thehackernews.com/2025/08/new-plague-pam-backdoor-exposes.html

"The implant is built as a malicious PAM (Pluggable Authentication Module),
enabling attackers to silently bypass system authentication and gain
persistent SSH access," Nextron Systems researcher Pierre-Henri Pezier said.

That sounds like something easily detected by a rkhunter type of scan.
Pretty lame.

Looks like it could be used as a component of a complete rootkit, butyou're right that this seems like nothing new. Is this some securityfirm or academic group trying to get some attention?

I think any effective rootkit needs to be a holistic solution since thevarious components all need to help hide each other. They should also beinstalled in a polymorphic manner to at least make offline detectionmore difficult - I'm not sure how effective that actually is these days(I'm guessing not very since that has been around for decades).


--
Rich

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] 'Plague' PAM Backdoor Exposes Critical Linux Systems to Silent Credential Theft
  - From: jeffv via plug <plug@lists.phillylinux.org>
- Re: [PLUG] 'Plague' PAM Backdoor Exposes Critical Linux Systems to Silent Credential Theft
  - From: Martin Cracauer via plug <plug@lists.phillylinux.org>

Prev by Date: Re: [PLUG] 'Plague' PAM Backdoor Exposes Critical Linux Systems to Silent Credential Theft
Next by Date: Re: [PLUG] [plug-announce] Wed Aug 6 - PLUG Central - "General Discussion" by (7pm EDT online)
Previous by thread: Re: [PLUG] 'Plague' PAM Backdoor Exposes Critical Linux Systems to Silent Credential Theft
Index(es):
- Date
- Thread