Help! All data in mybook live gone and owner password unknown

Yes, I wrote the fix myself.
It was very easy, I just searched for all lines that contain the word “exec” and “sudo” and then looked which variables could be controlled by an attacker without authentication. Then wrapped the variables with escapeshellarg.
There are thousands of “unescaped” (vulnerable) execute commands, which is very unsafe coding style, but most of them are not critical because they could only be exploited if the attacker is already logged in.


If you have Remote Access enabled and automatic, UPnP is enabled. You may need to turn off UPnP on your Internet router/modem by logging into it and finding it within your router’s settings.


already turned off in modem

Am I correct in thinking that this only affected MBL users with Auto Update enabled? From the above posts it seems that users who had this setting disabled were unaffected.

I had auto updates enabled but remote access disabled. UPnP was enabled on my router. I disconnected my device on Thursday.

Losing access to 10 years of files, family photos, etc is hard to swallow but I am growing increasingly concerned that these files have now fallen into the wrong hands.

same happened to me. I’ve tried DiskInternals (windows) and R-Linux (ubunto) by connecting the drive to my PC with an adapter. None worked. Each scan took about 15 hours. There’s only some binary ■■■■ on it. DiskInternals Linux Recevory at least found the files and their names, but the contents were corrupted. Not even text file were readable anymore.

At least, I could restore some really important files from my Android Tablet. This app heavily utilizes caching. So if you accessed a file, a copy can be found in the android system folder.

The hard drive itself is intact. We can always format/partition it or continue to use the device…

Well, after that disaster, I’m not sure if I should buy another “NAS” or just move my stuff to a professional cloud service.

I had auto update enabled and was unaffected. I had remote access off, UPnP off on both the MBL and router, NAT on the router and the router firewall set to ‘medium’ for whatever that was worth. SSH was disabled and no ports forwarded on the router to the MBL.

I tend to think it was open ports on the router that did them in. They may have turned on UPnP unintentionally by briefly turning on remote access at some point and the UPnP then had the router open the ports and they never even knew they did it. The way the MBL turns on UPnP isn’t very clear as it doesn’t have a direct setting and is instead enabled with “automatic” being set.

Also, while first setting up their MBL they may have initially manually forwarded ports on their router and forgot about it. Some may have initially put their MBL within a DMZ on their routers and forgot about it as well which made it completely exposed to the Internet.

The attackers hunted for MBLs on the internet with open ports and inserted their payloads or perhaps more than we’ll ever know unfortunately since they may have coverd their tracks by factory resetting the machines after they were done. This is mere speculation on my part, if anyone knowledgeable would like to correct me, I’d appreciate it.


Hi all
I’d be grateful for a bit of help.
I’m lucky in that I have a MBL that doesn’t seem to be affected. I checked yesterday and the files seemed OK, so I pulled the network cable from it.
Am I right in thinking that if I apply MAC filtering on my router, that will stop it connecting to the internet and I should be safe?
If so, how can I get the MAC address without connecting it back up (which I don’t want to do for obvious reasons).
Thanks in advance, and I hope everyone who has had the problem gets their data back :frowning:

Im late to the party, I only got the notification from wd this morning. Couldn’t even login to view my folders either via app or online so plugged in to PC, like most, all data gone. Just doing a back up of my back up from PC. Then what, just have a network drive not connected to a network until WD fathom out whats gone on?

Im currently in the same boat. Been running Diskinternals Partition Recovery since last night. Currently 25% through

I’m also a user in the same situation, only found this out on Friday while trying to access my data, only received an email from WD to ‘unplug the device’ yesterday evening, which is a bit late when the attack already happened!!

My main concern is that the attackers may have copied all my data from the drive, is there any way I can tell if this happened? Maybe to check my Orbi router logs for large upload activity?

I think I have a backup of my most important data, but it may be a few months old, all I can say is that I won’t be trusting a networked drive ever again!! My MBL is now effectively redundant!!

Just received the WD email yesterday night in France 9:30 pm and read it this morning. My WD livebook duo is configured in RAID 1, 2 disks, and i am afraid i wont be able to recover anything.
Can you tell me your thought about this ? Thanks.

Well Joe, that’s one of the programs I’ve tried. Let’s see if you can find something. For me, the files were corrupted.

1 Like

My thought is to use a professional cloud service now. This product was sold as a back-up device, it’s actually unsafe. I’ve lost valuable things. For some files I have back-ups, but some of them are old.

I have been reading about the recent malware affecting the MyBookLive product. I have a MyCloud Mirror, should I be worried? Does anyone know how to contact customer support?..their chat doesn’t seem to be working really.

Ah ok, the more i’ve read that seems to have been the case, might have just been a horrible coincidence. Thank you for the response. If you have any info, do you know if this is safe to swap for a new one? (that is WD’s recommendation). I cant get it to connect to a pc in any way but i’m worried the sensitive data might still be on there and accessible.

I can’t imagine that attackers was just scanning the web to find weak systems. What about a breach in WD system that allowed them to retrieved known weak systems and then attack them ?

So i pulled the both discs from my MyBookLiveDuo and shuffed them in a usb 3 sata adapter, running PhotoRec 7.2 on windows 10 at the moment, dumping first HDD recovered files on a usb HDD. It’s running now for allmost 5 hours and done for 1/3. Finding alot of files, but folder structures and filenames are messed-up, nothing to do about that.

Let’s see if the files are valid after the scan. Then I’ll try this software too. Mine were corrupted in DiskInternals and R-Linux.

got a lot of corrupted files, mostly rar archives with i used to store customers video and animation projects. Guess that has to do with files being fragmented ;-(

I think these programs do all the same behind the scenes :-/

1 Like