Help! All data in mybook live gone and owner password unknown

Yes, that could be the issue but also consider how raw scans work:

You open file once a signature is detected but with many files main problem is when to close it. For many file types you can not tell easily what their size is, only few end with some kind of end of file signature. So then the tool needs to guess:

  • Assume certain default file size
  • File end where next file starts

Since many of these signatures are not unique byte patterns they can occur at any time. So assume we detected JPEG signature (0xFFD8FF) but now tool detects byte pattern 0x494433. That could be perfectly valid JPEG data but also start of MP3 file. If tool assumes the latter we end up with a corrupt JPEG and corrupt MP3 file. In these cases it can help to overrule the tool’s default selection for file to detect. IOW disable MP3 and it may recover a perfectly fine JPEG file. The same may apply to your RAR files.

TruckerJoe, I am running the Disk Internals Data Recovery programme on the /DataVolume part of the drive. It is about the same size as your /CacheVolume part of your drive at 1.8TB. 30hours in and 5% completed. It does not say how many files recovered yet, just some about SuperBits(?) and Inodes(?).

Attention!!! Fix of the vulnerability !!!

My previous bugfix which I posted yesterday did not work. I updated my post!
I have now tested the fix with my MyBook Live Duo: I could successfully exploit the vulnerability on my NAS, and after the fix, the attack does not work anymore. I won’t post the exploit code here, because I don’t want that more people exploit the vulnerability.

Furthermore, I have analyzed the code inside /var/www/ and did not find any further root command injections which don’t require authentication.

Additional security settings you should consider

  1. Disable “remote access” in the UI
  2. Change “connection options” from “automatic” to “manual”, this disables UPnP
    (thanks to @WDMyBookDead for that hint! They posted a screenshot above)
  3. Disable UPnP in your router
  4. Disable factory reset:
    If you believe that you will never need the factory restore, I recommend disabling it completely.
    Edit /usr/local/sbin/factoryRestore.sh and wipeFactoryRestore.sh and change line #2 to exit.
4 Likes

I monitor my network alot and outbound internet traffic from the NAS was pretty low (I didn’t see any major difference in my quota with my ISP uploads for a number of months) so if they did download it wasn’t much. They would want to get certain items but expect they wouldn’t really know which files.

That said even when the unit was in standby it was doing about 20 to 60kb constantly, but never MBs in speed, nor like I say overall quota wasn’t increased.

1 Like

Good info thanks!

I’m gonna end up with more than 2.000.000 files from first disc probably,
would be great that i can at least rescue pictures from the kids growing up. Man what a mess

UPNP: Was ON, now OFF
FTP: Not Allowed
MBL Remote Access: ON
MBL Auto Update: turned OFF
Behind FiOS Firewall
Also North America

I was able to connect to the dashboard without a password, change it back and connected.
Only to find the Public shares wiped like so many others.
I enabled SSH which works.
Also the mapped drives from Windows 10 PCs work.

But now I find that when I attempt to connect to http://mybooklive I get the error: ERR_CONNECTION_REFUSED

Rebooting the MBL allows me to connect to the dashboard, but only temporarily.
After a while I get the error again.

The IP address is static set by the FiOS router; I’ve confirmed it’s correct.

1 Like

This morning I got an email from WD that contained this:


See the line “We recommend you disconnect your MBL from the internet”. Well if you click the link it doesn’t take you to anything relevant to disconnecting the MBL from the internet. SEE HERE

@WD_Admin How about editing that link page with a clickable link something like “How to Disconnect your MBL from the internet”. Sure I could probably dig around there and find some info but why not make it EASY for the AVERAGE user!

Sheesh…I’m about to give up on WD…

BTW I disassembled my MBL and saved the drive and tossed the rest in the trash.

3 Likes

Sure, please see gist paste below, with thanks to @dracenmarx

2 Likes

Hi wis98,
Thank you for posting details. Let us know how the recovery goes.

Thanks!

Rounding the 500 posts, can we conclude that even knowing that there is a script that can be run remotely, despite that, users that never enabled (I mean never) the remote acces and then the Automatic option for unpnp that comes with that, were somehow safe from this attack?

I was already unhappy with WD, and now this happens to me. I was already thinking about alternatives, because WD has not continued to support this type of equipment. With this event, which also occurs due to the divestment of WD customers, it seems that the decision is increasingly clear.
At this point, the priority is to recover the data.

2 Likes

I was thinking along the same lines earlier. I think this is a result of an initial breach of their systems. Maybe product registration? I never registered with WD I never received an email from them.

1 Like

That is not correct. I had auto updates disabled, as well as remote access disabled and my MBL was wiped.

My MBL never had auto updates and remote access enabled. When my MBL was new and I originally set it up, I disabled both of those options because it looked like a potential security issue. I also never registered my MBL.

So just to be clear, having auto-update disabled and remote access disabled will not prevent this attack.

3 Likes

Fortunately, I was one of the very few who were unaffected by this exploit.

UPnP: off on MBL
Remote Access: off
Automatic Update: off
UPnP: On on router, however, was only on for one specific device. Has now been turned off

I combed over all of the log files on my MBL and the last date of any “real” activity was May 7th, so I dodged a bullet here.

I actually used this as a backup as I always run a multidisc system on my PC, so most of my files were on a secondary 1TB HDD. All of the movies/TV shows that were on the MBL, I own in disc form, so I was good there too. Much of my stuff is on a secondary backup (portable HDD). That being said, I’ve had this MBL for a long time and have been considering a major upgrade. Tested a couple of home built systems, but finally pulled the plug on a Synology system with a couple of IronWolf drives. This was just a final reminder for me to upgrade.

Best of luck to everyone who lost their data. I hope you are able to recover. I’m sure there will be some kind of class action suit come out of this.

Thanks Sky, so we dont have any conclusion here besides this hole that can affect users just because they are exposed and thats it.
Now Im wondering, since WD email says that is a legacy product… with all this damage that users had with their data loss, are WD gonna do something to patch it? Or thats it?
I mean, I was not affected, I discovered this issue because of WDs email.
I can turn off the drive a couple of days but why? If WD is not gonna take any serious action (not the joke that you should disconnect your NAS and use it with a cable to a Pc)
What we could expect now?

And if this is a trick from WD to force us upgrade legacy drives?

1 Like

Thanks for identifying the file. I grep’ed the directory for sudo bash and it’s a disaster, and I wasn’t sure how to test your original fix, so I just commented out all the sudo bash lines, a little drastic, but if it stops the exploit…

Does anyone know how to remove all the WD software from the Mybooklive, leaving a pure debian installation, without reinstalling debian from scratch?

1 Like

I don’t remember the sales pitch being:

Place years of your data on our drive until some random unspecified date when we silently deem your drive as a “legacy product” even though we still sell the same kind of hardware.

I knew groceries spoiled, but i wasn’t aware that hardware does too.

1 Like

Pikazzo, I’m pretty sure WD will not do much, if they had cared about their users they would have acted sooner or made a more secure product. So they are unlikely to now suddenly change their ways.

The root cause is that this device automatically uses uPnP to make itself accessible from the internet. If you manually disable this in the WD device, you should be safe. A router with proper security defaults will also save you: Allowing any device to open outside ports is convenient for the Playstation or XBox from the kids, but a known bad security practice. Good routers don’t allow this - your router manufacturer is likely at fault here too (unless you changed the default “allow uPnP” setting from off to on, then its on you).

In general if you you lost your data due to this problem, you now have noticed that a RAID is not a backup! Clearly, WD is at fault here, but you could also have lost your data due to:

  • Fire
  • Theft
  • Power Surges
  • a defective AC-DC power supply
  • malware
  • user error
  • the unit falling of the shelf
  • both drives dying at the same time
    and other possible causes. The main two reason here people have problems is: 1) WD has behaved in a very poor way, and 2) you did not have a backup.
3 Likes

So that sounds like a time bomb built into the original software.

2 Likes