Has my MyCloud been hacked?

Anyone know why my MyCloud would have a connection to a Google DNS server?

192.168.xxx.xxx:35380 xxx.xxx.xxx.xxx:35380 8.8.8.8:53 TCP TW Out 128 214

Is the Cloud configured to use Google DNS in the DHCP or DNS settings?

If so, it’s probably just done a (large) DNS lookup.

It’s a large lookup because it used TCP, which generally means either the question or answer would be larger than 512 bytes.

If you’re not using Google DNS in your DHCP assignment or static configuration, then something else is going on…

@gewili:

I strongly recommend to consider what TonyPh wrote.

I would even go further and

Full factory restore of MyCloud, then

Disconnect MyCloud from LAN.

Reset router to factory defaults and do not open any ports.

Watch connection logs because from inside your LAN more computers could be infected.

If no anomalies are visible during a few days, then reconnect MyCloud.

I’m in the process of moving my data off the MyCloud. Will be scanning it as well with Anti virus and Malwarebytes.

Can anyone help with Linux instructions to see if the Korn shell and httpd processes are hiding somewhere on the MyCloud?

I know they could be hidden with other names but it’s worth a try. I will be doing a factory reset in any case.

Message to WD, put a way to change the root password on the GUI. Perhaps even force the user to change it when the device is first set up.

There was no excuse for me not to have changed it. I know better. :confounded:

Which restore type do you recommend? Is System Restore sufficient?

Could the hacker have compromised the restore data, in which case none of the restore types would work?

If you get your data off loaded I personally would do a “Full System Restore” from the Dashboard. This will erase all data, Return to Default login, Remove all your shares, except “Public”, and reset your “Cloud Access”.

I did this 6 weeks ago and have had no issues since. Although a “pain in the rear” to get everything back (data reloaded, shares, users, permissions, cloud access, etc), but now I see it was time well spent. Especially since you think you were hacked, or possibly hacked.

This is my personal opinion and what I would do

@ SectorGZ,

That is that you can backup your configuration settings in the My Cloud. Find this option in the Dashboard and backup the configuration file somewhere. Hdd, Ssd, usb, other NAS. Everything of the settings will be saved, shares, sleep, users, privileges, etc etc. So you can have less Pita. Mawhahaha.