Help! All data in mybook live gone and owner password unknown

To work correctly, shouldn’t that be:

 sudo find / -name "*nttp*"

Forgive the crappy cell phone picture, easiest way to do this. Has anyone else noticed this in their network while dealing with this. I noticed it earlier today on the my laptop and the desktop but didn’t put two and two together.

This is a picture from my netbook which has never been attached to this network so it can’t be any other network device. This showed up when I attached the MBL to it. I’d never noticed it being there before today but I also don’t look at the network page often.

It’s no longer showing up on network, so that’s good I guess. And my network shows no devices I’m not familiar with, so that’s also good. Is it just the chipset of the MBL? Has anyone had this show up?

My post above had the same IP in my Router logs 213.217.0.184 ramped up attacks maybe for about a week prior. Mostly exactly on the hour. One got through an viola. We have the s**t show we have today

1 Like

Working on a cloned image is definitely safer. However, it should be noted that WD used a 64K block size for the filesystem so mounting the drive or a cloned image on x86 systems is not possible with conventional methods, which is why I had to use debugfs. If you plan to dump your data from a cloned image, you will need twice the amount of spare storage.

That’s a good reminder for mounting as read-only. By default, debugfs opens the filesystem as read-only.

If you are dumping out the data to a location on your Linux PC then you can specify the path explicitly or you can omit it if you change to the directory of the dump. If you SSH into the NAS then the root path / works fine, but on your own Linux PC, starting with / as a path will needlessly search your entire system.

-iname is the same as -name but ignores case to match any uppercase letters. I was not certain of the exact name of the trojan.

A better method would be to scan all files using one of the few Antivirus engines that can currently detect it.

You can also try to get a hash list of all your files and match it against one of the hashes on VirusTotal. This command will match the trojan’s SHA1 hash value:

sudo find -type f -exec sha1sum {} + | grep 6a4f531f3e05de4d1499e0242e280dc60bd87a71
1 Like

I’m glad I avoided using Live Duo for backup purposes. They were tempting. I did use a single WD Live for redundant media, and as a bridge for moving files between incompatible devices. Backups of that were recent, so losing 2TB due to this hack amounted to a minor inconvenience. I never trusted these things to begin with. Cloud service you can’t unsubscribe from, without tech support? Nothing suspicious about that at all!

They say support ended in 2015? How come the cloud service is running? How come the drive can still ping for firmware updates, if none are coming? Why not release a “bottle cork” update. One that seals off the thing from the internet. Kills all remote call ports and leaves it as a LAN only thing? They want their cake and to eat it too.

By the way. As soon as I analyzed the drive I put some files on it and connected it right back up. There’s nothing on it that I can’t afford to lose. I just want to see what happens. It’s been running since after the attack. No subsequent resets. I did not change anything. I wanted to see if the attack was continuous, or only a short burst. Because if it was, as WD seems to indicate, a bruteforce execution, with no user data being stolen, and no firmware update servers being hacked - I don’t buy that one bit. I say that it was their firmware homebase that got hacked and either assisted with IP redirects, or served as a target list.

I say, WD got hacked, and they’re looking to avoid lawsuits. They found the problem and fixed it, but didn’t go public with the find. They are stalling, and pretending it’s not their problem anymore. Because if they are at fault, they may owe ever data recovery client up to $5K. This will snowball.

1 Like

Sorry I wasn’t clear. I meant you needed the forward slash for it to work at all with either -name or -iname when using ssh directly into the MBL.

Which one got through and why, I wonder?

Please keep us updated on what happens. I will as well with mine that wasn’t hacked in the first place but I have this setup:

aaaaaand no luck…

DiskInterals crashed my whole System after 36h+ scanning at 90+x% done and an unbelivable huge amount of findings still counting.
Compared to the other tools I tested this is veeeeeeeery slow. Even slower than photorec. And you don’t see what it found until the very end I guess.

All in all (and with the crash…) DiskInterals is out for me. If you want to go free currently recuva would be my Software of choice

1 Like

I’ve tried DiskInternals (windows) and R-Linux (ubuntu) without success. Is EaseUS really a chance? It’s shareware/trial. Not sure if another 15 hour run or even pay more money is worth it, since these tools might do all the same behind the scenes…
they’re crazy - 70 bucks per month or 150 once

Hi does anyone a bit more savvy know if the drive from my MBL will fit in this enclosure?

I’m thinking of the size and the connections…

I’m keeping my fingers crossed with diskinternals partition recovery. From 5pm Saturday until 0130 this morning UK time it was on 50%. That’s connected directly via Sata

Haven’t tried that one yet. recuva is also free and I could recover various images. For large files like videos or PDFs I’ve limited hope. Preview in DiskGenius was something between okay and total mess.

Hope the best for you! My run was from Saturday late Afternoon until this mornig 7:30 when suddenly my System crashed and my fans went wild.
Currently running DMDE 25% which ist waaaaaay faster than DiskInternals and you get an count of your finds while it’s running

Since we have nothing to loose, I gave it a shot. Results look surprisingly good, but it’s too early to judge. It finds quite a lot of different file types and shows previews. Filenames are gone. In the shareware/trial, the preview function is very limited, so I can’t tell for Word and Excel, but it could look good from the very small piece they show. It also seems to run much faster, it estimated about 5-6 houres for me, while the others ran about 15 or more.

I have yet to try any data recovery as I am waiting a big enough disc to recover to. I have found the following entries in my router logs which might suggest that the device was initially compromised on the 18th June but am posting this here for those that will be able to make more sense than I can. Prior to this there are no port scanning entries in my event log.

09:01:44	 18 Jun. Port forwarding rule deleted via UPnP/TR064. Protocol: TCP	 external ports: any->0	 internal client: 192.168.1.243																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																												
09:01:44	 18 Jun. Port forwarding rule deleted via UPnP/TR064. Protocol: TCP	 external ports: any->0	 internal client: 192.168.1.243																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																												
08:59:41	 18 Jun. DoS(UDP Loopback): IN=ppp1 OUT= MAC= SRC=81.139.56.100 DST=*.*.*.* LEN=146 TOS=0x00 PREC=0x00 TTL=60 ID=18977 PROTO=UDP SPT=53 DPT=7 LEN=126 MARK=0x8000000 																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																														
08:00:17	 18 Jun. DoS(UDP Loopback): IN=ppp1 OUT= MAC= SRC=184.105.139.69 DST=*.*.*.* LEN=29 TOS=0x00 PREC=0x00 TTL=51 ID=49545 DF PROTO=UDP SPT=59252 DPT=19 LEN=9 MARK=0x8000000 																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																														
07:00:17	 18 Jun. DoS(UDP Loopback): IN=ppp1 OUT= MAC= SRC=81.139.56.100 DST=*.*.*.* LEN=147 TOS=0x00 PREC=0x00 TTL=60 ID=15248 PROTO=UDP SPT=53 DPT=19 LEN=127 MARK=0x8000000 																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																														
07:00:17	 18 Jun. DoS(UDP Loopback): IN=ppp1 OUT= MAC= SRC=81.139.57.100 DST=*.*.*.* LEN=147 TOS=0x00 PREC=0x00 TTL=60 ID=26592 PROTO=UDP SPT=53 DPT=19 LEN=127 MARK=0x8000000 																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																														
03:00:17	 18 Jun. DoS(Port Scanning): IN=ppp1 OUT= MAC= SRC=185.212.131.64 DST=*.*.*.* LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=52213 DF PROTO=TCP SPT=37146 DPT=81 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x8000000 																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																														
03:00:17	 18 Jun. DoS(Port Scanning): IN=ppp1 OUT= MAC= SRC=185.212.131.64 DST=*.*.*.* LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=34388 DF PROTO=TCP SPT=51544 DPT=82 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x8000000 																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																														
03:00:17	 18 Jun. DoS(Port Scanning): IN=ppp1 OUT= MAC= SRC=185.212.131.64 DST=*.*.*.* LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=4576 DF PROTO=TCP SPT=46424 DPT=83 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x8000000 																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																														
03:00:17	 18 Jun. DoS(Port Scanning): IN=ppp1 OUT= MAC= SRC=185.212.131.64 DST=*.*.*.* LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=59114 DF PROTO=TCP SPT=54156 DPT=84 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x8000000 																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																														
03:00:17	 18 Jun. DoS(Port Scanning): IN=ppp1 OUT= MAC= SRC=185.212.131.64 DST=*.*.*.* LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=43926 DF PROTO=TCP SPT=35506 DPT=85 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x8000000 																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																														
03:00:17	 18 Jun. DoS(Port Scanning): IN=ppp1 OUT= MAC= SRC=185.212.131.64 DST=*.*.*.* LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=58712 DF PROTO=TCP SPT=50726 DPT=86 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x8000000 																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																														
03:00:17	 18 Jun. DoS(Port Scanning): IN=ppp1 OUT= MAC= SRC=185.212.131.64 DST=*.*.*.* LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=714 DF PROTO=TCP SPT=51068 DPT=88 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x8000000 																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																														
03:00:17	 18 Jun. DoS(Port Scanning): IN=ppp1 OUT= MAC= SRC=185.212.131.64 DST=*.*.*.* LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=60000 DF PROTO=TCP SPT=34106 DPT=89 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x8000000 																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																														
03:00:17	 18 Jun. DoS(Port Scanning): IN=ppp1 OUT= MAC= SRC=185.212.131.64 DST=*.*.*.* LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=26232 DF PROTO=TCP SPT=59564 DPT=90 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x8000000 																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																														
03:00:17	 18 Jun. DoS(Port Scanning): IN=ppp1 OUT= MAC= SRC=185.212.131.64 DST=*.*.*.* LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=19944 DF PROTO=TCP SPT=49324 DPT=91 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x8000000 																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																														
																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																									
																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																														
																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																													

Maybe we should create a single, central post or page that contains all of the information regarding this situation in one place, or maybe create a public Google Docs page for that. Having all information in one location would help a lot of people, since this thread is getting massive, and I think it would also help us work on any possible solutions.

Myself, I would be very pleased if WD decided to create a firmware for us that simply removes all remote access features and renders the MBL strictly a LAN device, which is how I have always used mine anyway. I say this because I know it’s extremely unlikely that WD would create an updated, full-featured firmware for this device.

On my My Book Live Duo, I reinstalled the latest firmware. I’m hoping that would have removed any possibility that there was malicious code on my drive. As I mentioned earlier, it appears that this attack had different levels of device penetration, probably depending on which features the users had enabled.

Incidentally, WD’s current home flagship product, the My Cloud Expert Series EX2 Ultra has been on the market for over five years now. I wonder how much longer that product will be available, and when WD relegates that to the ‘legacy’ status graveyard.

3 Likes

You need this one 3.5" not 2.5"

I got everything I needed back and then some. Now looking at restoring the lost partitions and making a readable drive with some structure to see if I can 100% restore everything, but really only out of interest!

1 Like