Help! All data in mybook live gone and owner password unknown

I’m a MBL Duo user from Canada. The device logs show that it rebooted (but did not reset) at 4:04 AM on the 23rd. All of my files are still intact. I didn’t give the notification email about it rebooting any thought because, coincidentally, there was a power outage at 7AM, so it didn’t seem unusual. Strangely, despite the power outage, the logs only show the one reboot at 4AM.

Some details that may be useful to others more knowledgeable about these things:
Firmware Version: 02.43.03-022
Auto Update: Disabled
Remote Access: Enabled (Automatic)
Router UPnP: Enabled
FTP: Enabled
SSH: Enabled

I’ve since disconnected the device from my router (and disabled UPnP). I have a full backup of all important data on an external USB drive, but there are still some files I’d like to get off it. I’ll connect it directly to a laptop to copy those files and take a look at the crontab, which I’ve been using for years to do a nightly rsync to the external USB.

1 Like

Thank you for your post. Let us k ow if you have complete success. I mailed my WD NAS on Friday and will arrive Monday. That was the best support I had received from western digital was to take it to a recovery company. All data gone from our entire lives until 5 years ago. I hope it works.

Unfortunately I had the same problem 2 days ago. I found also in the user.log the record related to the “factoryRestore.sh: begin script”

I checked my current home network configuration in the internet router:
UPNP = off
NAT/PAT = none
DMZ = yes (My Book Live Duo IP address) :frowning:

In the My Book Live Duo settings:
Remote Access = Enable not checked

I removed the DMZ configuration in the internet router and blocked My Book Live Duo IP address to prevent the access to Internet. I am now trying to reinstall the My Book Live Duo starting from a fresh factory restore.

One has to wonder why they deleted devices without a ransom. Perhaps it was to cover their tracks somehow? Frankly, since the vulnerability allowed the attackers to run commands on the devices as root, there’s no reason to think data couldn’t have been accessed. If I’m wrong, someone please chime in and correct me.

I hope your tax returns were at least password protected by TurboTax or something like that? Either way, I would set up fraud monitoring if enough sensitive info was potentially released. I hope your data wasn’t accessed, but I also would be proactive if I were you in protecting yourself from potential fraud.

In the end, this hack may be turn out to be worse for some than others depending on what kind of data was on their WD devices.

I’m not really sure how to set up fraud monitoring? I think the only personal info I had on there was a copy of mine and my parents tax returns for the past couple years, and my credit card statements. The credit card I can monitor online for any weird activity. Not sure what to do about a potential breech of our social insurance numbers though. Canadian government website suggests calling one of the credit bureaus to monitor your file so I guess I’ll do that Monday.

Also if anyone has any suggestions for someone not networking inclined to make sure my network is otherwise secure now that I’ve unplugged the MBL, I’d greatly appreciate it.

so i’m one of the lucky ones and found this thread coincidently 2 days ego on reddit… my device is double backed up and everything on it is encrypted so i wasn’t worried and kept it running till this morning… everything on it was disabled including ssh except remote control which i needed… right now it’s running but i disabled remote control and cut of the internet from and to it via modem firewall.

yeah i have a desktop. I shall have a look what connectors are available…

All connected and reconising the drive now the long task of running partition recovery.

(Sorry late recovery got a limit of posts on my first days posting)

i can’t find the UPnP setting on the WD device

This is all I get from cat /etc/crontab :

MyBookLive:~# cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
17 *	 * * *    root  cd / && run-parts --report /etc/cron.hourly
0 3	     * * *	  root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
10 3	 * * 7	  root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
20 3	 1 * *	  root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

What other commands should I do from here to see if I’m compromised?

Yes, I wrote the fix myself.
It was very easy, I just searched for all lines that contain the word “exec” and “sudo” and then looked which variables could be controlled by an attacker without authentication. Then wrapped the variables with escapeshellarg.
There are thousands of “unescaped” (vulnerable) execute commands, which is very unsafe coding style, but most of them are not critical because they could only be exploited if the attacker is already logged in.

2 Likes

If you have Remote Access enabled and automatic, UPnP is enabled. You may need to turn off UPnP on your Internet router/modem by logging into it and finding it within your router’s settings.

2 Likes

already turned off in modem

Am I correct in thinking that this only affected MBL users with Auto Update enabled? From the above posts it seems that users who had this setting disabled were unaffected.

I had auto updates enabled but remote access disabled. UPnP was enabled on my router. I disconnected my device on Thursday.

Losing access to 10 years of files, family photos, etc is hard to swallow but I am growing increasingly concerned that these files have now fallen into the wrong hands.

same happened to me. I’ve tried DiskInternals (windows) and R-Linux (ubunto) by connecting the drive to my PC with an adapter. None worked. Each scan took about 15 hours. There’s only some binary ■■■■ on it. DiskInternals Linux Recevory at least found the files and their names, but the contents were corrupted. Not even text file were readable anymore.

At least, I could restore some really important files from my Android Tablet. This app heavily utilizes caching. So if you accessed a file, a copy can be found in the android system folder.

The hard drive itself is intact. We can always format/partition it or continue to use the device…

Well, after that disaster, I’m not sure if I should buy another “NAS” or just move my stuff to a professional cloud service.

I had auto update enabled and was unaffected. I had remote access off, UPnP off on both the MBL and router, NAT on the router and the router firewall set to ‘medium’ for whatever that was worth. SSH was disabled and no ports forwarded on the router to the MBL.

I tend to think it was open ports on the router that did them in. They may have turned on UPnP unintentionally by briefly turning on remote access at some point and the UPnP then had the router open the ports and they never even knew they did it. The way the MBL turns on UPnP isn’t very clear as it doesn’t have a direct setting and is instead enabled with “automatic” being set.

Also, while first setting up their MBL they may have initially manually forwarded ports on their router and forgot about it. Some may have initially put their MBL within a DMZ on their routers and forgot about it as well which made it completely exposed to the Internet.

The attackers hunted for MBLs on the internet with open ports and inserted their payloads or perhaps more than we’ll ever know unfortunately since they may have coverd their tracks by factory resetting the machines after they were done. This is mere speculation on my part, if anyone knowledgeable would like to correct me, I’d appreciate it.

2 Likes

Hi all
I’d be grateful for a bit of help.
I’m lucky in that I have a MBL that doesn’t seem to be affected. I checked yesterday and the files seemed OK, so I pulled the network cable from it.
Am I right in thinking that if I apply MAC filtering on my router, that will stop it connecting to the internet and I should be safe?
If so, how can I get the MAC address without connecting it back up (which I don’t want to do for obvious reasons).
Thanks in advance, and I hope everyone who has had the problem gets their data back :frowning:

Im late to the party, I only got the notification from wd this morning. Couldn’t even login to view my folders either via app or online so plugged in to PC, like most, all data gone. Just doing a back up of my back up from PC. Then what, just have a network drive not connected to a network until WD fathom out whats gone on?

Im currently in the same boat. Been running Diskinternals Partition Recovery since last night. Currently 25% through

I’m also a user in the same situation, only found this out on Friday while trying to access my data, only received an email from WD to ‘unplug the device’ yesterday evening, which is a bit late when the attack already happened!!

My main concern is that the attackers may have copied all my data from the drive, is there any way I can tell if this happened? Maybe to check my Orbi router logs for large upload activity?

I think I have a backup of my most important data, but it may be a few months old, all I can say is that I won’t be trusting a networked drive ever again!! My MBL is now effectively redundant!!

Just received the WD email yesterday night in France 9:30 pm and read it this morning. My WD livebook duo is configured in RAID 1, 2 disks, and i am afraid i wont be able to recover anything.
Can you tell me your thought about this ? Thanks.