Skip to content

Instantly share code, notes, and snippets.

@bcoles
Created September 13, 2020 13:40
Show Gist options
  • Save bcoles/b66c0116daa1d1d2623e0d2a2795304f to your computer and use it in GitHub Desktop.
Save bcoles/b66c0116daa1d1d2623e0d2a2795304f to your computer and use it in GitHub Desktop.
Detect PAM backdoors created by linux-pam-backdoor
#!/bin/bash
# Detect PAM backdoors created by linux-pam-backdoor:
# https://github.com/zephrax/linux-pam-backdoor
#
# Note: this will likely only work with PAM version 1.3.0.
# ---
# $ ./backdoor.sh -v 1.3.0 -p some_s3cr3t_p455word
# Automatic PAM Backdoor
# PAM Version: 1.3.0
# Password: some_s3cr3t_p455word
# ...
# Backdoor created.
# Now copy the generated ./pam_unix.so to the right directory (usually /lib/security/)
# ...
# $ ./linux-pam-backdoor-detect
# Checking /lib/x86_64-linux-gnu/security/pam_unix.so ...
# Found possible backdoor password: some_s3cr3t_p455word
# ---
# bcoles
pam_unix="/lib/x86_64-linux-gnu/security/pam_unix.so"
echo "Checking ${pam_unix} ..."
start="$(strings "${pam_unix}" | grep "bad username \[%s\]" -A 1 | tail -n 1)"
end="$(strings "${pam_unix}" | grep "auth could not identify password for" -B 1 | head -n 1)"
if [ "${start}" == "${end}" ]; then
echo "Found possible backdoor password: ${start}"
else
echo "No backdoor found"
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment