Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Detect PAM backdoors created by linux-pam-backdoor
#!/bin/bash
# Detect PAM backdoors created by linux-pam-backdoor:
# https://github.com/zephrax/linux-pam-backdoor
#
# Note: this will likely only work with PAM version 1.3.0.
# ---
# $ ./backdoor.sh -v 1.3.0 -p some_s3cr3t_p455word
# Automatic PAM Backdoor
# PAM Version: 1.3.0
# Password: some_s3cr3t_p455word
# ...
# Backdoor created.
# Now copy the generated ./pam_unix.so to the right directory (usually /lib/security/)
# ...
# $ ./linux-pam-backdoor-detect
# Checking /lib/x86_64-linux-gnu/security/pam_unix.so ...
# Found possible backdoor password: some_s3cr3t_p455word
# ---
# bcoles
pam_unix="/lib/x86_64-linux-gnu/security/pam_unix.so"
echo "Checking ${pam_unix} ..."
start="$(strings "${pam_unix}" | grep "bad username \[%s\]" -A 1 | tail -n 1)"
end="$(strings "${pam_unix}" | grep "auth could not identify password for" -B 1 | head -n 1)"
if [ "${start}" == "${end}" ]; then
echo "Found possible backdoor password: ${start}"
else
echo "No backdoor found"
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment