Help! All data in mybook live gone and owner password unknown

flhthemi · June 26, 2021, 4:30pm

Get one of these HERE

gouldos · June 26, 2021, 4:42pm

Ha, no, thought his machine could see the disk. Yea: I put mine in a powered external harddrive enclosure

Skyscape · June 26, 2021, 5:12pm

My router is a Linksys WRT1900AC and I used the parental control option to disable all internet access from the MBL. I tested the effectiveness of the parental controls at blocking the internet on a few devices, and they were blocked from the internet. Strangely, when I restricted the MBL in this way, it was still communicating with the internet. The factory firmware on the router is extremely basic, which makes this situation more frustrating.

Skyscape · June 26, 2021, 5:14pm

I don’t think this is caused by the current attack on the MBL. Looks like your drive hardware may have failed.

Malakai_UK · June 26, 2021, 5:16pm

I have been lucky enough not to get caught with this. I have UPNP enabled and the latest FW. I am however using the dns 9.9.9.9. This might have blocked the malicious traffic.

cwq23us · June 26, 2021, 5:21pm

One of my MBLs got wiped, and the default password doesn’t work, so I assume the malware got me too. I did NOT have internet access turned on, just LAN. Fortunately, I have a backup—but it’s an MBL also. I deprived the entire array of power for now.

Now I’m afraid to turn them back on. I think I will shut off my WAN access entirely, so I can power up the drives and restore the backup. I just hope the malware is not somehow resident in the drives now. If I turn these back on, isolated from the internet, and they wipe themselves anyway … :\

So what’s the procedure to restore the default password? I’m not interested in data recovery. Should I just do the factory reset? will it even work? or will I end up shitcanning this drive now.

Broccoli_Inspector2 · June 26, 2021, 5:25pm

DNS is not relevant to this exploit. You got lucky. You should disable UPnP immediately.

MikeLanglois · June 26, 2021, 5:35pm

Be honest with us now. Are you going to do anything to help people get their data back? Offer step by step on how to recover, or provide software that might allow us to recover it?

My drive has been off since this happened, no activity on it, so hopefully when a clear recovery path is known it will be possible.

Skyscape · June 26, 2021, 5:45pm

Have a look at the results here and prepare to be shocked. This could be one way the IP addresses of the drives were obtained.

Broccoli_Inspector2 · June 26, 2021, 5:46pm

This user has posted the most detailed information about data recovery so far: Help! All data in mybook live gone and owner password unknown - #227 by andyman1222

Other users have reported success with Ontrack EasyRecovery, PhotoRec, Disk Genius, or Easus. Still others have reported PhotoRec was unsuccessful for them.

Still others have had their hardware evaluated by a professional data recovery firm.

This doesn’t help you now, but there’s no real substitute to having backup copies of your data. Even if this exploit hadn’t occurred, any hardware can fail.

Malakai_UK · June 26, 2021, 5:49pm

So my DNS is using the quad 9 security and privacy DNS. This DNS service could have potentially blocked the remote IP addresses that have been discovered from pushing out the command to remote wipe to my device. From what I’m reading, UPNP being disabled or enabled hasn’t made any difference.

Broccoli_Inspector2 · June 26, 2021, 5:49pm

Think of DNS like an old-school phone book (remember those?) With a phone book, if you know a name, you can look up the name to find the associated phone number.

With DNS, if you know a name like wd.com, you can look up the name to find the associated IP address, like 54.218.213.83.

DNS won’t prevent inbound attacks any more than a phone book will protect you from theft if you leave your front door open. In the case of this specific attack, the attacker’s script doesn’t use DNS (the IP address is hard coded).

mrkuldip · June 26, 2021, 7:00pm

That cable is ok for laptop drives that are small but the larger desktop drives will need more power. There are other cables available which have two usb ports at the end so they can get extra power.

whitehm · June 26, 2021, 7:00pm

I had EXACTLY this same problem. I have 6 WD MyBook LiveDuo’s and two of my older servers were completely empty 6/24/21 morning! The other four servers are EX2 models and they were OK. The 2 wiped (older model) drives had been working fine since 2015! I lost all of my documents (including tax returns), software manuals, family pictures/videos and music I’ve been storing digitally since the 1980’s that I had moved in 2015 onto the RAID 1 servers FOR SAFETY! NOT HAPPY AT ALL!

whitehm · June 26, 2021, 7:04pm

UPnP was disabled on all of my servers and two were wiped anyway. Both were older models. The other 4 EX2 models were still intact.

Mister_E · June 26, 2021, 7:39pm

I had UPnP enabled on my router but wasn’t affected (disabled now). I didn’t think UPnP could be triggered from the outside - my basic understanding being that UPnP simply opens/configures ports on a router based on initial requests from devices on the internal network.

In any case, I’ve now blocked access to the internet on my router for my MBL and have turned it back on.

A few other thoughts have now crossed my mind - besides auto firmware updates and remote access, there’s also FTP access but it seems everyone has had a mix of these enabled/disabled and yet still impacted.

How about the default ssh root password (welc0me) - how many changed it or left it default? Could this have been the vector?

Finally, the question also remains whether the “attackers” had access to the data on drives and have potentially compromised owners (privacy, etc.) and for how long. It’s also interesting that they chose a destructive attack vs. encryption/ransom that’s typical now. Could be they only had access to built-in commands/scripts and decided on factory reset.

dracenmarx · June 26, 2021, 7:43pm

I also don’t quite understand how UPnP works (see my question above) and how attackers could or could not access the HTTP service of one or more MyBook devices behind a NAT. Please, can anybody explain this to me.

I don’t think SSH is the attack vector, because this feature needs to be unlocked manually, and usually only experts are using SSH, not regular customers. And since there are so many customers affected, I don’t think they all have SSH.

spigot · June 26, 2021, 7:46pm

On a related issue I think…. since the attack and loss of data I have removed MBL HDD and am scanning it with DiskInternals Data Recovery programme… but…… I can no longer access any of my security cameras when away from house ??? Did the attack do something to my router to prevent remote access like I used to have???
Any help please?? It’s a UK Sky router.

dracenmarx · June 26, 2021, 7:47pm

If it is a botnet that attacks IoT devices, then the camera could also be hacked, I think

whitehm · June 26, 2021, 7:48pm

UPNP: OFF
FTP: Not Allowed
MBL Remote Access: turned OFF
MBL Auto Update: turned OFF
Also North America

2 older WD Mybook LiveDuo’s factory reset sometime during the the previous night because I had been using them locally 6/23/21 and they were intact yet 6/24/21 everything was gone. This is not at a business and I am the only user at home and I don’t participate in ‘risky’ practices like opening email attachments or clicking email embedded links. Windows AV and firewall active. Malwarebytes active. About the only place I go to is YouTube. No Facebook. I haven’t checked my email on my computer in weeks (I use my smartphone) and SPAM and unknowns go into the Bit Bucket unopened. Both firewall logs recorded no unusual connections/traffic. No idea how/what could get in and trigger the factory reset on two servers but I lost everything (Almost 6 TB) that I had there.