I recently logged into (ssh) my WDMycloud device. What is odd is that when I ran ‘last’, it created the wtmpx file and therefore all previous logins were not shown.
No problem I thought - I remembered that I recieved an email notifying me of a recent firmware upgrade and I cannot say for sure which changes has been made.
The other thing is that the root directory was empty and I thought I had knocked up a test perl script in there - but I could not say that with absolute certainty.
The .bash_history file was suprisingly short, but at the top had this command : ‘debootstrap/debootstrap --second-stage’, and also this ‘cat /etc/apt/sources.list’.
With relation to the first command, I found this web page https://wiki.debian.org/Debootstrap that discussed that debootstrap is a tool which will install a Debian base system into a subdirectory of another, already installed system. It doesn’t require an installation CD, just access to a Debian repository.
The second command could be someone double checking that the access to the repository exists. The contents of sources.list are
WDMyCloud:~# cat /etc/apt/sources.list
deb http://ftp.us.debian.org/debian/ wheezy main
#deb http://ftp.us.debian.org/debian/ sid main
#deb http://ftp.us.debian.org/debian/ experimental main
#deb-src http://ftp.us.debian.org/debian/ wheezy main
So the wheezy repository is available.
I have double confirmed that my Virgin Hub does not allow ssh port forwarding - in fact it doesnt allow any port forwarding, and in addition to that I do use strong passwords.
If my fear that I am sitting in a chrooted environment is correct, then this exploit is available to anyone that has turned on ssh.
This is a really long shot - but is it possible that this history fragment that contains the debootstrap command is an artifact from the factory build process ? I am not familiar with the Debian flavor of Linux and the MyCloud setup is customised.
My files remain intact and I have disconnected the device from the hub.