Yes, that could be the issue but also consider how raw scans work:
You open file once a signature is detected but with many files main problem is when to close it. For many file types you can not tell easily what their size is, only few end with some kind of end of file signature. So then the tool needs to guess:
Assume certain default file size
File end where next file starts
Since many of these signatures are not unique byte patterns they can occur at any time. So assume we detected JPEG signature (0xFFD8FF) but now tool detects byte pattern 0x494433. That could be perfectly valid JPEG data but also start of MP3 file. If tool assumes the latter we end up with a corrupt JPEG and corrupt MP3 file. In these cases it can help to overrule the toolâs default selection for file to detect. IOW disable MP3 and it may recover a perfectly fine JPEG file. The same may apply to your RAR files.
TruckerJoe, I am running the Disk Internals Data Recovery programme on the /DataVolume part of the drive. It is about the same size as your /CacheVolume part of your drive at 1.8TB. 30hours in and 5% completed. It does not say how many files recovered yet, just some about SuperBits(?) and Inodes(?).
My previous bugfix which I posted yesterday did not work. I updated my post!
I have now tested the fix with my MyBook Live Duo: I could successfully exploit the vulnerability on my NAS, and after the fix, the attack does not work anymore. I wonât post the exploit code here, because I donât want that more people exploit the vulnerability.
Furthermore, I have analyzed the code inside /var/www/ and did not find any further root command injections which donât require authentication.
Additional security settings you should consider
Disable âremote accessâ in the UI
Change âconnection optionsâ from âautomaticâ to âmanualâ, this disables UPnP
(thanks to @WDMyBookDead for that hint! They posted a screenshot above)
Disable UPnP in your router
Disable factory reset:
If you believe that you will never need the factory restore, I recommend disabling it completely.
Edit /usr/local/sbin/factoryRestore.sh and wipeFactoryRestore.sh and change line #2 to exit.
I monitor my network alot and outbound internet traffic from the NAS was pretty low (I didnât see any major difference in my quota with my ISP uploads for a number of months) so if they did download it wasnât much. They would want to get certain items but expect they wouldnât really know which files.
That said even when the unit was in standby it was doing about 20 to 60kb constantly, but never MBs in speed, nor like I say overall quota wasnât increased.
Iâm gonna end up with more than 2.000.000 files from first disc probably,
would be great that i can at least rescue pictures from the kids growing up. Man what a mess
UPNP: Was ON, now OFF
FTP: Not Allowed
MBL Remote Access: ON
MBL Auto Update: turned OFF
Behind FiOS Firewall
Also North America
I was able to connect to the dashboard without a password, change it back and connected.
Only to find the Public shares wiped like so many others.
I enabled SSH which works.
Also the mapped drives from Windows 10 PCs work.
But now I find that when I attempt to connect to http://mybooklive I get the error: ERR_CONNECTION_REFUSED
Rebooting the MBL allows me to connect to the dashboard, but only temporarily.
After a while I get the error again.
The IP address is static set by the FiOS router; Iâve confirmed itâs correct.
See the line âWe recommend you disconnect your MBL from the internetâ. Well if you click the link it doesnât take you to anything relevant to disconnecting the MBL from the internet. SEE HERE
@WD_Admin How about editing that link page with a clickable link something like âHow to Disconnect your MBL from the internetâ. Sure I could probably dig around there and find some info but why not make it EASY for the AVERAGE user!
SheeshâŠIâm about to give up on WDâŠ
BTW I disassembled my MBL and saved the drive and tossed the rest in the trash.
Rounding the 500 posts, can we conclude that even knowing that there is a script that can be run remotely, despite that, users that never enabled (I mean never) the remote acces and then the Automatic option for unpnp that comes with that, were somehow safe from this attack?
I was already unhappy with WD, and now this happens to me. I was already thinking about alternatives, because WD has not continued to support this type of equipment. With this event, which also occurs due to the divestment of WD customers, it seems that the decision is increasingly clear.
At this point, the priority is to recover the data.
I was thinking along the same lines earlier. I think this is a result of an initial breach of their systems. Maybe product registration? I never registered with WD I never received an email from them.
That is not correct. I had auto updates disabled, as well as remote access disabled and my MBL was wiped.
My MBL never had auto updates and remote access enabled. When my MBL was new and I originally set it up, I disabled both of those options because it looked like a potential security issue. I also never registered my MBL.
So just to be clear, having auto-update disabled and remote access disabled will not prevent this attack.
Fortunately, I was one of the very few who were unaffected by this exploit.
UPnP: off on MBL
Remote Access: off
Automatic Update: off
UPnP: On on router, however, was only on for one specific device. Has now been turned off
I combed over all of the log files on my MBL and the last date of any ârealâ activity was May 7th, so I dodged a bullet here.
I actually used this as a backup as I always run a multidisc system on my PC, so most of my files were on a secondary 1TB HDD. All of the movies/TV shows that were on the MBL, I own in disc form, so I was good there too. Much of my stuff is on a secondary backup (portable HDD). That being said, Iâve had this MBL for a long time and have been considering a major upgrade. Tested a couple of home built systems, but finally pulled the plug on a Synology system with a couple of IronWolf drives. This was just a final reminder for me to upgrade.
Best of luck to everyone who lost their data. I hope you are able to recover. Iâm sure there will be some kind of class action suit come out of this.
Thanks Sky, so we dont have any conclusion here besides this hole that can affect users just because they are exposed and thats it.
Now Im wondering, since WD email says that is a legacy product⊠with all this damage that users had with their data loss, are WD gonna do something to patch it? Or thats it?
I mean, I was not affected, I discovered this issue because of WDs email.
I can turn off the drive a couple of days but why? If WD is not gonna take any serious action (not the joke that you should disconnect your NAS and use it with a cable to a Pc)
What we could expect now?
And if this is a trick from WD to force us upgrade legacy drives?
Thanks for identifying the file. I grepâed the directory for sudo bash and itâs a disaster, and I wasnât sure how to test your original fix, so I just commented out all the sudo bash lines, a little drastic, but if it stops the exploitâŠ
Does anyone know how to remove all the WD software from the Mybooklive, leaving a pure debian installation, without reinstalling debian from scratch?
Place years of your data on our drive until some random unspecified date when we silently deem your drive as a âlegacy productâ even though we still sell the same kind of hardware.
I knew groceries spoiled, but i wasnât aware that hardware does too.
Pikazzo, Iâm pretty sure WD will not do much, if they had cared about their users they would have acted sooner or made a more secure product. So they are unlikely to now suddenly change their ways.
The root cause is that this device automatically uses uPnP to make itself accessible from the internet. If you manually disable this in the WD device, you should be safe. A router with proper security defaults will also save you: Allowing any device to open outside ports is convenient for the Playstation or XBox from the kids, but a known bad security practice. Good routers donât allow this - your router manufacturer is likely at fault here too (unless you changed the default âallow uPnPâ setting from off to on, then its on you).
In general if you you lost your data due to this problem, you now have noticed that a RAID is not a backup! Clearly, WD is at fault here, but you could also have lost your data due to:
Fire
Theft
Power Surges
a defective AC-DC power supply
malware
user error
the unit falling of the shelf
both drives dying at the same time
and other possible causes. The main two reason here people have problems is: 1) WD has behaved in a very poor way, and 2) you did not have a backup.
