Help! All data in mybook live gone and owner password unknown

Had some success finding files using Disk Drill, but wife vetoed purchasing the Pro version (which would actually allow me to recover them). Looking at the previews, the files do seem to be there, but with some corruption. I’d guess that maybe a quarter of the pictures had some level of corruption on them.

Now trying again with photorec, since I’m being told to try one of the free options. Already seeing several thousand files and I’m just a few minutes in. Looks like it’ll take around 15 hours to image the whole drive though.

Sorry, should’ve been more clear on that. You want the largest partition of the disk you inserted. The other partitions contain boot and OS files.

Sorry, should’ve been more specific. You want the largest Linux-type drive, so in this case /DataVolume. The disk contains some other smaller partitions for OS and boot stuff.

Did you scan the large partition? (called /DataVolume on someone else’s computer, I wasn’t clear in my instructions on that). Also if you just had 2 GB of data then I’d expect it would go fast. And I guess the software couldn’t rediscover the movie files, maybe because it was in a format it didn’t support or something.

I scanned that OFJU binary VirusTotal

It appears to be part of the Linux.Ngioweb botnet https://blog.netlab.360.com/linux-ngioweb-v2-going-after-iot-devices-en/

(apologies if posting twice – I’m getting spam filtered)

1 Like

I scanned the OFJU binary: VirusTotal

It appears to be part of the Linux.Ngioweb botnet https://blog.netlab.360.com/linux-ngioweb-v2-going-after-iot-devices-en/

2 Likes

What is OFJU ?

It’s the payload downloaded by the script caught here: Help! All data in mybook live gone and owner password unknown - #201 by goosman

1 Like

Gets reset to nothing…blank. Don’t enter a pw, just press enter.
It will log you in, then change pw to what you want.

1 Like

As I was looking for more information about CVE-2018-18472 , I noticed that the exploit was already known in March 2014 ! ( WDMyCloud Command Injection CSRF · GitHub ) So, there was a root-command-injection exploit online while the MyBookLive devices were still supported, and WD did nothing?!

2 Likes

If anyone finds a way to recover your files, could you please share it. I lost all of my family photos and movies for my girls and also for my mother that recently passed away. I am heart broken. Any help would be greatly appreciated. Thank you so very very much.

I would recommend openwrt. I’ve used it a bunch. You could get in via ssh and delete or otherwise disable the wipe code, but we don’t know the extent of the control the bad guys have is. It’s possible they could just turn it back on. It’s an outbound request so it’s not reliable to block a specific port. You can block it from everything in and out, but I still wouldn’t trust it.

Openwrt is a little harder to mess with as it’s not really for nas devices. My current nas is just Debian 10 on a regular pc and its working great for years and is fully patched.

There are tools to do data recovery on your own, but I cannot recommend that you do it yourself. Power pff the device and do not write anything to the disk, do not re-index them etc.
Bring your device to a trustworthy data rescue service. They might be able to recover the data

Yeah, I’m not sure it wasn’t used on this attack partially, but this one almost certainly came from the wd servers and there was not a whole lot you could do to stop it other than replace the device last year.

1 Like

Help. Oh my gosh my MBL is wiped clean. This is very, very bad. It’s hard to even try and think of all the data that was there.
WD!!! How did this happen?? This needs to be fixed. I will have to spend hours backing up and searching for whatever I still have. So much data will never be found.

Thank you so very much for your iput. I got a quote for data recovery and it was $2,000 to $5,000. Unbelievable.

Why do you think the attack came from the WD CNC servers? The theory that UPnP or PortForwarding was used to access the vulnerable REST API sounds very reasonable

I feel really sorry for those who lost their data, especially those who lost family pictures, but many in this forum saw that coming.
The day where Western Digital paid the price for forcing their users to enable remote access to their devices, has come. I know, they won’t learn the lesson.

2 Likes

This information would have been very helpful if you had email all your WD mybooklive owners, I just found out thru a Reddit post and went to check on my network hard drive just to see it’s been factory restore 2 days ago! So to advise to disconnect is to advise people looking for answers of a hack that already happen! No one is searching answers for a problem that hasn’t yet occur yet!

1 Like

I think one argument is the timing. It seems like all of the affected users were all hit within a very short time frame, like within hours of one another. That doesn’t sound like a threat actor doing a world wide port scan but someone that had access to WD user ip addresses.

4 Likes