Help! All data in mybook live gone and owner password unknown

Yeah - same IP numbers I had - I just obscured the numbers because it is probably not a good idea to go there.

All my data is lost , factory reset from remote hacker attack!! Help !!

Dude, people that are here have obviously learned they made a mistake by losing their family photos and more. I don’t think you need to reiterate to anyone reading this thread the importance of dual (or more) backups, nor using an old, outdated NAS from WD that’s connected to the Internet. People are obviously hurting here and filled with regret. Drop it.

How much personal and/or financial information was stolen?

Hopefully, none.

This is anecdotal, so more research is needed obviously.

Why wipe the devices rather than demand ransom?

• Why not? Sociopaths exist.

• Hide tracks. Made an error or otherwise that left traces so sent factory reset code.

• Government intelligence agency wants to make public afraid to use NAS devices in general and choose cloud storage whereas they have more universal access.

• Corporate espionage from NAS competitor. Expose WD for being shabby.

What was the original attack vector?

This:

CVE-2018-18472

Then the hunt for devices made terribly easy by WD corporate ineptitude:

The attack vector was likely finding MBL devices exposed on the Internet, port scanning for holes, then going through them like butter because the security was so horribly implemented in the first place by WD.

Those that can get back any of their data probably are very lucky it wasn’t encrypted with ransomware. For all we know that was the endgame, but mistakes of some kind where made and they aborted and sent the factory reset code to cover their tracks.

What is the true motivation of the attackers?

For the nookie?

There has been success for many people getting at least some of their data back. Read carefully through the thread and you’ll see assorted solutions people are trying with varying success. If I were you, I’d pick the ones with the most success and go with that. Good luck and I’m sorry this happened to you.

Oh no, I’m sorry you found the wget. Did you have any data loss or factory reset?

What was the specific ssh command you put in to see that? Was it this below?

MyBookLive:~# ls -la /etc/crontab

Had you previously had UPnP enabled on the MBL and your router or manually forwarded ports?

Be civil or I will report you, dude. People here have enough to worry about without you cluttering up the thread with your personal issues.

The same issue here. No access to the shared drives, at the UI a request for a password, nothing worked. A reset through WD’s instructions (via the link in their alert email), where no data will be lost. The pin in the reset button for about 4 seconds.

Finally access to the UI, but the terrifying discovery that all data of the past 10 years is gone! Most important all pictures! Everything from my kids and all. In tears.

The device shows only 3GB of 2TB is used.

I would really want to know what caused this issue. Has WD have been contacted by hackers. How did they know I have a Mybook live? Is it a ransom based hack? Is there any possibility to get the data back?

How was it possible to hard reset my drive? And how come I did not get the email message I receive from the device after for instance loss of power?

Many questions together with the true pain of what is lost.

I friendly urge WD on giving answers.

Lost everything to a factory reset. I previously had UPnP enabled on MBL and FiOS router. Now (too late) disabled both places. No manually forwarded ports to the MBL.

I used ssh command

MyBookLive:~# cat /etc/crontab

Thank you for the info! It can seriously help us all to figure out how this happened. I’m very sorry you got hit by this.

I hope you’re able to recover some of your data if it was your only backup. There’s varying degrees of success by people in this thread getting their data back.

tl;dr — I’m too busy trying to assist people here and share info on the hack. If you want to do the same yourself, it would be appreciated. Otherwise, we’ll just have to agree to disagree if that’s something you’re capable of.

I’m very sorry you got hit with this hack, I’ll try to answer some of your questions based on what I’ve learned in the past few days.

Has WD have been contacted by hackers.

I don’t think so. There was no ransomware encryption used, so no demands could be made.

How did they know I have a Mybook live? Is it a ransom based hack?

Unfortunately, they likely found it through these types of easy methods:

This vulnerability here CVE-2018-18472 was never patched by WD, so all they likely needed to do was scan the Internet for devices, search for open ports, then break in.

Those that can get back any of their data probably are very lucky it wasn’t encrypted with ransomware. For all we know that was the endgame, but perhaps mistakes of some kind were made and they aborted and sent the factory reset code to cover their tracks.

How was it possible to hard reset my drive?

They had root access to your device to enable them to send a factory reset command.

And how come I did not get the email message I receive from the device after for instance loss of power?

Your email info was deleted by the factory reset I assume.

Is there any possibility to get the data back?

Likely YES. There’s lot of people using different methods to get at least some of their data back with varying degrees of success. If I were you I would carefully go through the entire thread and look to see who collectively had the greatest success and emulate their steps. If you get stuck, ask them for advice. Most people within this thread are helpful and are trying to work with each other to make the best of this situation.

As far as them accessing the data to attain private information, it’s still unclear if they did so or not. There’s some hope here they did not, but it’s far from conclusive:

I’m not entirely convinced that CVE-2018-18472 was in fact the original attack vector, despite assumptions to the contrary. There are simply too many unanswered questions to be 100% certain of anything.

Agreed, that’s why myself and others in this thread say keywords such as “likely” and such, and have made it clear no one knows for sure exactly how this all went down nor the extent of the hack for sure.

Which brings me back to my original point about creating BACKUPS , which should always be the FIRST plan of action.

Fantastic. I’m sure no one has figured that out after losing their data or reading about it within this thread. Any other advice?

I no longer offer detailed guides and/or instructions because inexperienced users often get themselves into trouble, then blame me for trying to help them.

It’s no surprise you’ve had previous hostile interactions with others before. You have serious ego issues and generally a bad attitude. Literally no one else in this thread has been uncivil until you came in here. Everyone is getting along except for you.

Please get over yourself and your ego and let’s focus on helping each other. If you don’t want to help, then you’re just wasting time and just stroking your own ego and nothing more.

I’ve been quietly analyzing MBL firmware, deconstructing binary ELF files, reading countless security bulletins, and much more.

Great, perhaps you can start helping people now?

Until then, I’m done with you and no longer reading your posts. You’ve wasted enough of my time already with your bad attitude.

Hi guys, I’m from Brazil and I also had my drive attacked, approximately 1.5Tb of lost data.
As soon as I heard about it from the media, I disconnected my unit from the internet, but it was too late, it had already been reset.
Now, after unmounting, comes the task of trying to retrieve my photos and some videos and other files.
I’m trying to use EaseUS Data Recovery, I think I’ll be successful in part, the problem will be that the content will be completely disorganized / mixed which practically makes the content unfeasible.

I think comments about using Dual Backups, that the drive shouldn’t be connected to the internet (which is why I bought it) and other recommendations are now no longer welcome.

Sometimes people do not take these security measures, yes out of negligence, but often because they cannot acquire a reserve unit, they do not have enough knowledge to do so, remember that we are talking about a global attack.
Here, even today, many years after having purchased this unit, it is still very expensive (here).

Having a new (and even double) unit is impossible / too expensive.

I think it would have been more logical for the WD company to have maintained at least a minimum of security on the drives that were still in operation (my opinion).

Well, as I write this, 537Gb of my files (completely messed up) have been found and there’s another 7 hours of disk scan to do.

I hope that everyone who had the same problem that I managed to recover part or all of their files, and that in the end, we learned something from what happened…

I will probably not buy other connected devices from WD, I will look for more “secure” solutions.

Hugs to everyone and good luck!

Sorry for my English, I had to get help from Google translator.

Just this:

au_enable=disable
au_day=0
au_hour=3

Nothing that looks suspicious in the user.log AFAIK. It was automatically checking for firmware updates and not finding them and I think I manually tried it to see if that would spur the attack but it didn’t and then you can see where I shut it off manually. All that was done via the GUI.

These are up to the 24th when I found out through media of the attack, then immediately unplugged the ethernet. Then made extra sure my router was hardened against MBL WAN exposure and plugged it back in and shut it down via the GUI. Then later ran MBL again after making a custom service blocker in my router for the MBL as an extra precaution.

user.log:

Jun 20 19:45:35 MyBookLive logger: exit standby after 12854 (since 2021-06-20 16:11:21.075927963 -0600)
Jun 20 19:46:11 MyBookLive logger: hostname=MyBookLive
Jun 20 19:47:43 MyBookLive logger: WD NAS: Email alerts REST API failed to return Success
Jun 20 20:26:59 MyBookLive logger: exit standby after 1759 (since 2021-06-20 19:57:40.575928112 -0600)
Jun 20 20:53:54 MyBookLive logger: exit standby after 7 (since 2021-06-20 20:53:47.107917661 -0600)
Jun 20 21:26:45 MyBookLive logger: exit standby after 8 (since 2021-06-20 21:26:37.943926190 -0600)
Jun 20 21:45:27 MyBookLive logger: exit standby after 518 (since 2021-06-20 21:36:49.183928050 -0600)
Jun 20 21:59:30 MyBookLive logger: exit standby after 239 (since 2021-06-20 21:55:31.867927711 -0600)
Jun 20 22:24:13 MyBookLive logger: exit standby after 7 (since 2021-06-20 22:24:06.595922511 -0600)
Jun 20 22:57:19 MyBookLive logger: exit standby after 1382 (since 2021-06-20 22:34:17.947926693 -0600)
Jun 20 23:27:54 MyBookLive logger: exit standby after 7 (since 2021-06-20 23:27:47.167926644 -0600)
Jun 20 23:59:40 MyBookLive logger: exit standby after 1302 (since 2021-06-20 23:37:58.343927398 -0600)
Jun 21 00:40:51 MyBookLive logger: exit standby after 8 (since 2021-06-21 00:40:43.847924619 -0600)
Jun 21 00:58:29 MyBookLive logger: exit standby after 454 (since 2021-06-21 00:50:55.031927125 -0600)
Jun 21 01:22:10 MyBookLive logger: exit standby after 7 (since 2021-06-21 01:22:03.643926498 -0600)
Jun 21 02:02:22 MyBookLive logger: exit standby after 1808 (since 2021-06-21 01:32:14.887928030 -0600)
Jun 21 02:27:12 MyBookLive logger: exit standby after 7 (since 2021-06-21 02:27:04.979922717 -0600)
Jun 21 02:58:00 MyBookLive logger: exit standby after 1244 (since 2021-06-21 02:37:16.331930269 -0600)
Jun 21 03:00:05 MyBookLive logger: Sleep random seconds=10380 before auto-update
Jun 21 03:30:47 MyBookLive logger: exit standby after 7 (since 2021-06-21 03:30:40.567917329 -0600)
Jun 21 03:58:08 MyBookLive logger: exit standby after 1037 (since 2021-06-21 03:40:51.823928375 -0600)
Jun 21 04:19:42 MyBookLive logger: exit standby after 8 (since 2021-06-21 04:19:34.827926114 -0600)
Jun 21 04:57:35 MyBookLive logger: exit standby after 1669 (since 2021-06-21 04:29:46.159927148 -0600)
Jun 21 05:18:10 MyBookLive logger: exit standby after 7 (since 2021-06-21 05:18:03.227917293 -0600)
Jun 21 05:53:05 MyBookLive logger: Trigger auto-update
Jun 21 05:53:12 MyBookLive updateFirmwareToLatest.sh: 06/21/21 11:53:12:: ( reboot )
Jun 21 05:53:12 MyBookLive /usr/local/sbin/updateFirmwareToLatest.sh: no upgrade
Jun 21 05:53:12 MyBookLive logger: exit standby after 1498 (since 2021-06-21 05:28:14.403928287 -0600)
Jun 21 06:25:47 MyBookLive logger: exit standby after 7 (since 2021-06-21 06:25:40.611926079 -0600)
Jun 21 06:58:54 MyBookLive logger: exit standby after 1383 (since 2021-06-21 06:35:51.863926744 -0600)
Jun 21 07:28:30 MyBookLive logger: exit standby after 8 (since 2021-06-21 07:28:22.815928153 -0600)
Jun 21 07:58:51 MyBookLive logger: exit standby after 1217 (since 2021-06-21 07:38:33.999927312 -0600)
Jun 21 08:20:26 MyBookLive logger: exit standby after 7 (since 2021-06-21 08:20:19.491919391 -0600)
Jun 21 08:58:04 MyBookLive logger: exit standby after 1654 (since 2021-06-21 08:30:30.755927682 -0600)
Jun 21 09:18:36 MyBookLive logger: exit standby after 7 (since 2021-06-21 09:18:28.635925323 -0600)
Jun 21 09:57:02 MyBookLive logger: exit standby after 1702 (since 2021-06-21 09:28:40.011927632 -0600)
Jun 21 10:18:38 MyBookLive logger: exit standby after 7 (since 2021-06-21 10:18:31.035925691 -0600)
Jun 21 10:58:32 MyBookLive logger: exit standby after 1790 (since 2021-06-21 10:28:42.411927744 -0600)
Jun 21 11:21:10 MyBookLive logger: exit standby after 8 (since 2021-06-21 11:21:02.807926872 -0600)
Jun 21 11:59:24 MyBookLive logger: exit standby after 1691 (since 2021-06-21 11:31:13.915927184 -0600)
Jun 21 12:25:12 MyBookLive logger: exit standby after 7 (since 2021-06-21 12:25:05.543917264 -0600)
Jun 21 12:41:53 MyBookLive logger: exit standby after 397 (since 2021-06-21 12:35:16.731928982 -0600)
Jun 21 13:00:32 MyBookLive logger: exit standby after 515 (since 2021-06-21 12:51:57.175926924 -0600)
Jun 21 13:30:09 MyBookLive logger: exit standby after 8 (since 2021-06-21 13:30:01.939924209 -0600)
Jun 21 14:00:44 MyBookLive logger: exit standby after 1231 (since 2021-06-21 13:40:13.291927460 -0600)
Jun 21 14:19:13 MyBookLive logger: exit standby after 8 (since 2021-06-21 14:19:05.955925300 -0600)
Jun 21 14:34:27 MyBookLive logger: exit standby after 310 (since 2021-06-21 14:29:17.239927924 -0600)
Jun 21 15:01:13 MyBookLive logger: exit standby after 1002 (since 2021-06-21 14:44:31.835927945 -0600)
Jun 21 15:28:42 MyBookLive logger: exit standby after 7 (since 2021-06-21 15:28:35.283917294 -0600)
Jun 21 16:01:29 MyBookLive logger: exit standby after 1363 (since 2021-06-21 15:38:46.639926977 -0600)
Jun 21 16:23:17 MyBookLive logger: exit standby after 704 (since 2021-06-21 16:11:33.771927896 -0600)
Jun 21 16:58:15 MyBookLive logger: exit standby after 1493 (since 2021-06-21 16:33:22.151927699 -0600)
Jun 21 17:16:39 MyBookLive logger: exit standby after 7 (since 2021-06-21 17:16:32.607925503 -0600)
Jun 21 17:59:37 MyBookLive logger: exit standby after 1974 (since 2021-06-21 17:26:43.827927040 -0600)
Jun 21 18:17:01 MyBookLive logger: exit standby after 7 (since 2021-06-21 18:16:54.443928070 -0600)
Jun 21 18:39:29 MyBookLive logger: exit standby after 744 (since 2021-06-21 18:27:05.631928414 -0600)
Jun 21 18:57:52 MyBookLive logger: exit standby after 499 (since 2021-06-21 18:49:33.387927662 -0600)
Jun 21 19:16:19 MyBookLive logger: exit standby after 7 (since 2021-06-21 19:16:12.563922234 -0600)
Jun 21 19:58:11 MyBookLive logger: exit standby after 1908 (since 2021-06-21 19:26:23.803926721 -0600)
Jun 21 20:25:39 MyBookLive logger: exit standby after 8 (since 2021-06-21 20:25:31.779927077 -0600)
Jun 21 20:59:30 MyBookLive logger: exit standby after 1427 (since 2021-06-21 20:35:43.055926506 -0600)
Jun 21 21:20:04 MyBookLive logger: exit standby after 7 (since 2021-06-21 21:19:56.707923514 -0600)
Jun 21 21:59:59 MyBookLive logger: exit standby after 1791 (since 2021-06-21 21:30:08.007928130 -0600)
Jun 21 22:30:36 MyBookLive logger: exit standby after 7 (since 2021-06-21 22:30:29.087926380 -0600)
Jun 21 22:57:17 MyBookLive logger: exit standby after 997 (since 2021-06-21 22:40:40.239928115 -0600)
Jun 21 23:34:10 MyBookLive logger: exit standby after 7 (since 2021-06-21 23:34:03.655919262 -0600)
Jun 21 23:58:53 MyBookLive logger: exit standby after 879 (since 2021-06-21 23:44:14.819922080 -0600)
Jun 22 00:30:59 MyBookLive logger: exit standby after 7 (since 2021-06-22 00:30:52.571915809 -0600)
Jun 22 00:58:35 MyBookLive logger: exit standby after 1052 (since 2021-06-22 00:41:03.811927206 -0600)
Jun 22 01:25:23 MyBookLive logger: exit standby after 7 (since 2021-06-22 01:25:16.555915798 -0600)
Jun 22 01:58:23 MyBookLive logger: exit standby after 1376 (since 2021-06-22 01:35:27.827927535 -0600)
Jun 22 02:31:07 MyBookLive logger: exit standby after 7 (since 2021-06-22 02:31:00.539924852 -0600)
Jun 22 02:59:58 MyBookLive logger: exit standby after 1127 (since 2021-06-22 02:41:11.867926831 -0600)
Jun 22 03:00:02 MyBookLive logger: Sleep random seconds=11100 before auto-update
Jun 22 03:21:31 MyBookLive logger: exit standby after 7 (since 2021-06-22 03:21:24.103928110 -0600)
Jun 22 04:00:17 MyBookLive logger: exit standby after 1722 (since 2021-06-22 03:31:35.383928680 -0600)
Jun 22 04:22:59 MyBookLive logger: exit standby after 8 (since 2021-06-22 04:22:51.771919221 -0600)
Jun 22 04:59:51 MyBookLive logger: exit standby after 1607 (since 2021-06-22 04:33:03.335928060 -0600)
Jun 22 05:30:29 MyBookLive logger: exit standby after 7 (since 2021-06-22 05:30:22.299924922 -0600)
Jun 22 06:00:33 MyBookLive logger: exit standby after 1200 (since 2021-06-22 05:40:33.483927319 -0600)
Jun 22 06:05:02 MyBookLive logger: Trigger auto-update
Jun 22 06:05:03 MyBookLive updateFirmwareToLatest.sh: 06/22/21 12:05:03:: ( reboot )
Jun 22 06:05:03 MyBookLive /usr/local/sbin/updateFirmwareToLatest.sh: no upgrade
Jun 22 06:22:09 MyBookLive logger: exit standby after 7 (since 2021-06-22 06:22:02.355926458 -0600)
Jun 22 06:58:13 MyBookLive logger: exit standby after 1560 (since 2021-06-22 06:32:13.527927793 -0600)
Jun 22 07:19:47 MyBookLive logger: exit standby after 7 (since 2021-06-22 07:19:40.019926128 -0600)
Jun 22 07:57:55 MyBookLive logger: exit standby after 1683 (since 2021-06-22 07:29:51.291927017 -0600)
Jun 22 08:29:35 MyBookLive logger: exit standby after 7 (since 2021-06-22 08:29:28.207918660 -0600)
Jun 22 09:00:35 MyBookLive logger: exit standby after 1256 (since 2021-06-22 08:39:39.463927984 -0600)
Jun 22 09:24:16 MyBookLive logger: exit standby after 7 (since 2021-06-22 09:24:09.091924725 -0600)
Jun 22 09:58:29 MyBookLive logger: exit standby after 1449 (since 2021-06-22 09:34:20.407928030 -0600)
Jun 22 10:21:07 MyBookLive logger: exit standby after 7 (since 2021-06-22 10:21:00.087925350 -0600)
Jun 22 10:58:46 MyBookLive logger: exit standby after 1655 (since 2021-06-22 10:31:11.207927836 -0600)
Jun 22 11:25:33 MyBookLive logger: exit standby after 7 (since 2021-06-22 11:25:26.431925882 -0600)
Jun 22 11:47:11 MyBookLive logger: exit standby after 694 (since 2021-06-22 11:35:37.603927794 -0600)
Jun 22 11:58:09 MyBookLive logger: exit standby after 54 (since 2021-06-22 11:57:15.655926866 -0600)
Jun 22 12:26:06 MyBookLive logger: exit standby after 7 (since 2021-06-22 12:25:59.495925163 -0600)
Jun 22 12:45:04 MyBookLive logger: exit standby after 534 (since 2021-06-22 12:36:10.699927311 -0600)
Jun 22 12:57:25 MyBookLive logger: exit standby after 137 (since 2021-06-22 12:55:08.767926931 -0600)
Jun 22 13:24:24 MyBookLive logger: exit standby after 7 (since 2021-06-22 13:24:17.251920152 -0600)
Jun 22 13:58:33 MyBookLive logger: exit standby after 1445 (since 2021-06-22 13:34:28.567927968 -0600)
Jun 22 14:32:20 MyBookLive logger: exit standby after 7 (since 2021-06-22 14:32:13.463925466 -0600)
Jun 22 14:58:08 MyBookLive logger: exit standby after 944 (since 2021-06-22 14:42:24.755927982 -0600)
Jun 22 15:27:42 MyBookLive logger: exit standby after 7 (since 2021-06-22 15:27:35.523925909 -0600)
Jun 22 16:00:28 MyBookLive logger: exit standby after 1362 (since 2021-06-22 15:37:46.819927686 -0600)
Jun 22 16:25:13 MyBookLive logger: exit standby after 8 (since 2021-06-22 16:25:05.843919444 -0600)
Jun 22 17:00:38 MyBookLive logger: exit standby after 1521 (since 2021-06-22 16:35:17.015927005 -0600)
Jun 22 17:20:11 MyBookLive logger: exit standby after 7 (since 2021-06-22 17:20:04.327925487 -0600)
Jun 22 17:59:43 MyBookLive logger: exit standby after 1768 (since 2021-06-22 17:30:15.555928077 -0600)
Jun 22 18:30:27 MyBookLive logger: exit standby after 8 (since 2021-06-22 18:30:19.835926074 -0600)
Jun 22 18:59:25 MyBookLive logger: exit standby after 1134 (since 2021-06-22 18:40:31.107926247 -0600)
Jun 22 19:19:59 MyBookLive logger: exit standby after 7 (since 2021-06-22 19:19:52.155918139 -0600)
Jun 22 19:57:51 MyBookLive logger: exit standby after 1667 (since 2021-06-22 19:30:04.227927006 -0600)
Jun 22 20:28:28 MyBookLive logger: exit standby after 8 (since 2021-06-22 20:28:20.811924817 -0600)
Jun 22 20:58:50 MyBookLive logger: exit standby after 1218 (since 2021-06-22 20:38:32.075927990 -0600)
Jun 22 21:18:24 MyBookLive logger: exit standby after 7 (since 2021-06-22 21:18:17.075917645 -0600)
Jun 22 21:57:57 MyBookLive logger: exit standby after 1769 (since 2021-06-22 21:28:28.347927769 -0600)
Jun 22 22:20:37 MyBookLive logger: exit standby after 7 (since 2021-06-22 22:20:30.091926581 -0600)
Jun 22 22:51:10 MyBookLive logger: exit standby after 1229 (since 2021-06-22 22:30:41.387927336 -0600)
Jun 22 23:29:11 MyBookLive logger: exit standby after 7 (since 2021-06-22 23:29:04.223925740 -0600)
Jun 23 00:02:29 MyBookLive logger: exit standby after 1394 (since 2021-06-22 23:39:15.419929189 -0600)
Jun 23 00:34:35 MyBookLive logger: exit standby after 8 (since 2021-06-23 00:34:27.883925932 -0600)
Jun 23 00:59:04 MyBookLive logger: exit standby after 865 (since 2021-06-23 00:44:39.179927291 -0600)
Jun 23 01:23:47 MyBookLive logger: exit standby after 8 (since 2021-06-23 01:23:39.907923568 -0600)
Jun 23 02:00:01 MyBookLive logger: exit standby after 1570 (since 2021-06-23 01:33:51.159928238 -0600)
Jun 23 02:32:41 MyBookLive logger: exit standby after 7 (since 2021-06-23 02:32:34.231925409 -0600)
Jun 23 03:00:08 MyBookLive logger: exit standby after 1043 (since 2021-06-23 02:42:45.527927347 -0600)
Jun 23 03:00:09 MyBookLive logger: Sleep random seconds=7920 before auto-update
Jun 23 03:23:50 MyBookLive logger: exit standby after 7 (since 2021-06-23 03:23:43.723926162 -0600)
Jun 23 04:02:20 MyBookLive logger: exit standby after 1706 (since 2021-06-23 03:33:54.915926631 -0600)
Jun 23 04:23:55 MyBookLive logger: exit standby after 7 (since 2021-06-23 04:23:48.635925660 -0600)
Jun 23 04:57:35 MyBookLive logger: exit standby after 1416 (since 2021-06-23 04:33:59.807926846 -0600)
Jun 23 05:12:09 MyBookLive logger: Trigger auto-update
Jun 23 05:12:09 MyBookLive updateFirmwareToLatest.sh: 06/23/21 11:12:09:: ( reboot )
Jun 23 05:12:09 MyBookLive /usr/local/sbin/updateFirmwareToLatest.sh: no upgrade
Jun 23 05:29:16 MyBookLive logger: exit standby after 7 (since 2021-06-23 05:29:09.379927896 -0600)
Jun 23 05:57:49 MyBookLive logger: exit standby after 1109 (since 2021-06-23 05:39:20.571927586 -0600)
Jun 23 06:17:21 MyBookLive logger: exit standby after 7 (since 2021-06-23 06:17:14.531917830 -0600)
Jun 23 06:28:13 MyBookLive logger: exit standby after 48 (since 2021-06-23 06:27:25.827926938 -0600)
Jun 23 06:59:38 MyBookLive logger: exit standby after 1281 (since 2021-06-23 06:38:17.311926181 -0600)
Jun 23 07:20:15 MyBookLive logger: exit standby after 7 (since 2021-06-23 07:20:08.663919775 -0600)
Jun 23 07:35:11 MyBookLive logger: exit standby after 292 (since 2021-06-23 07:30:19.951926931 -0600)
Jun 23 07:59:31 MyBookLive logger: exit standby after 856 (since 2021-06-23 07:45:15.159927354 -0600)
Jun 23 08:21:06 MyBookLive logger: exit standby after 7 (since 2021-06-23 08:20:59.643925603 -0600)
Jun 23 09:00:03 MyBookLive logger: exit standby after 1733 (since 2021-06-23 08:31:10.927926827 -0600)
Jun 23 09:21:39 MyBookLive logger: exit standby after 7 (since 2021-06-23 09:21:32.159916002 -0600)
Jun 23 10:00:38 MyBookLive logger: exit standby after 1735 (since 2021-06-23 09:31:43.487927574 -0600)
Jun 23 10:24:19 MyBookLive logger: exit standby after 7 (since 2021-06-23 10:24:12.091923467 -0600)
Jun 23 11:00:24 MyBookLive logger: exit standby after 1561 (since 2021-06-23 10:34:23.239927503 -0600)
Jun 23 11:34:16 MyBookLive logger: exit standby after 7 (since 2021-06-23 11:34:09.107925527 -0600)
Jun 23 11:58:51 MyBookLive logger: exit standby after 871 (since 2021-06-23 11:44:20.435927699 -0600)
Jun 23 12:22:31 MyBookLive logger: exit standby after 7 (since 2021-06-23 12:22:24.535926000 -0600)
Jun 23 12:59:09 MyBookLive logger: exit standby after 1594 (since 2021-06-23 12:32:35.787927011 -0600)
Jun 23 13:23:54 MyBookLive logger: exit standby after 7 (since 2021-06-23 13:23:47.279926658 -0600)
Jun 23 13:57:50 MyBookLive logger: exit standby after 1432 (since 2021-06-23 13:33:58.607926942 -0600)
Jun 23 14:23:35 MyBookLive logger: exit standby after 7 (since 2021-06-23 14:23:28.615926537 -0600)
Jun 23 14:55:19 MyBookLive logger: exit standby after 1300 (since 2021-06-23 14:33:39.903927729 -0600)
Jun 23 15:21:59 MyBookLive logger: exit standby after 8 (since 2021-06-23 15:21:51.827918153 -0600)
Jun 23 16:01:32 MyBookLive logger: exit standby after 1770 (since 2021-06-23 15:32:02.935928099 -0600)
Jun 23 16:26:20 MyBookLive logger: exit standby after 8 (since 2021-06-23 16:26:12.779919493 -0600)
Jun 23 17:02:07 MyBookLive logger: exit standby after 1543 (since 2021-06-23 16:36:24.011927059 -0600)
Jun 23 17:28:55 MyBookLive logger: exit standby after 7 (since 2021-06-23 17:28:48.611925405 -0600)
Jun 23 18:02:15 MyBookLive logger: exit standby after 1396 (since 2021-06-23 17:38:59.871927028 -0600)
Jun 23 18:34:57 MyBookLive logger: exit standby after 7 (since 2021-06-23 18:34:50.495926737 -0600)
Jun 23 18:58:38 MyBookLive logger: exit standby after 817 (since 2021-06-23 18:45:01.779928392 -0600)
Jun 23 19:35:39 MyBookLive logger: exit standby after 7 (since 2021-06-23 19:35:32.063925185 -0600)
Jun 23 19:58:08 MyBookLive logger: exit standby after 141 (since 2021-06-23 19:55:47.351927340 -0600)
Jun 23 20:19:42 MyBookLive logger: exit standby after 8 (since 2021-06-23 20:19:34.775925686 -0600)
Jun 23 21:01:11 MyBookLive logger: exit standby after 1885 (since 2021-06-23 20:29:46.135927088 -0600)
Jun 23 21:23:50 MyBookLive logger: exit standby after 8 (since 2021-06-23 21:23:42.803925536 -0600)
Jun 23 22:00:45 MyBookLive logger: exit standby after 1611 (since 2021-06-23 21:33:54.119927943 -0600)
Jun 23 22:32:26 MyBookLive logger: exit standby after 7 (since 2021-06-23 22:32:19.299917487 -0600)
Jun 23 22:44:47 MyBookLive logger: exit standby after 137 (since 2021-06-23 22:42:30.451926981 -0600)
Jun 23 23:00:57 MyBookLive logger: exit standby after 366 (since 2021-06-23 22:54:51.307927646 -0600)
Jun 23 23:24:42 MyBookLive logger: exit standby after 7 (since 2021-06-23 23:24:35.295919346 -0600)
Jun 24 00:02:11 MyBookLive logger: exit standby after 1645 (since 2021-06-23 23:34:46.703926480 -0600)
Jun 24 00:25:54 MyBookLive logger: exit standby after 8 (since 2021-06-24 00:25:46.711925526 -0600)
Jun 24 00:58:13 MyBookLive logger: exit standby after 1335 (since 2021-06-24 00:35:58.051928415 -0600)
Jun 24 01:18:44 MyBookLive logger: exit standby after 7 (since 2021-06-24 01:18:37.535924894 -0600)
Jun 24 01:59:14 MyBookLive logger: exit standby after 1826 (since 2021-06-24 01:28:48.839928899 -0600)
Jun 24 02:25:06 MyBookLive logger: exit standby after 8 (since 2021-06-24 02:24:58.951925254 -0600)
Jun 24 02:58:21 MyBookLive logger: exit standby after 1391 (since 2021-06-24 02:35:10.255927834 -0600)
Jun 24 03:00:05 MyBookLive logger: Sleep random seconds=1740 before auto-update
Jun 24 03:29:05 MyBookLive logger: Trigger auto-update
Jun 24 03:29:05 MyBookLive updateFirmwareToLatest.sh: 06/24/21 09:29:05:: ( reboot )
Jun 24 03:29:05 MyBookLive /usr/local/sbin/updateFirmwareToLatest.sh: no upgrade
Jun 24 03:31:07 MyBookLive logger: exit standby after 7 (since 2021-06-24 03:31:00.215926319 -0600)
Jun 24 04:00:24 MyBookLive logger: exit standby after 1153 (since 2021-06-24 03:41:11.463927156 -0600)
Jun 24 04:32:06 MyBookLive logger: exit standby after 7 (since 2021-06-24 04:31:59.439925814 -0600)
Jun 24 04:59:55 MyBookLive logger: exit standby after 1065 (since 2021-06-24 04:42:10.699927674 -0600)
Jun 24 05:20:27 MyBookLive logger: exit standby after 7 (since 2021-06-24 05:20:20.211926374 -0600)
Jun 24 06:00:06 MyBookLive logger: exit standby after 1775 (since 2021-06-24 05:30:31.431927397 -0600)
Jun 24 06:22:45 MyBookLive logger: exit standby after 7 (since 2021-06-24 06:22:38.651926237 -0600)
Jun 24 06:58:05 MyBookLive logger: exit standby after 1516 (since 2021-06-24 06:32:49.943928255 -0600)
Jun 24 07:18:34 MyBookLive logger: exit standby after 7 (since 2021-06-24 07:18:27.299921968 -0600)
Jun 24 07:58:32 MyBookLive logger: exit standby after 1794 (since 2021-06-24 07:28:38.643927950 -0600)
Jun 24 08:20:06 MyBookLive logger: exit standby after 7 (since 2021-06-24 08:19:59.711925557 -0600)
Jun 24 08:59:55 MyBookLive logger: exit standby after 1784 (since 2021-06-24 08:30:11.015926972 -0600)
Jun 24 09:30:33 MyBookLive logger: exit standby after 7 (since 2021-06-24 09:30:26.695925530 -0600)
Jun 24 09:57:38 MyBookLive logger: exit standby after 1021 (since 2021-06-24 09:40:37.891927481 -0600)
Jun 24 10:21:20 MyBookLive logger: exit standby after 8 (since 2021-06-24 10:21:12.883922544 -0600)
Jun 24 10:52:41 MyBookLive logger: exit standby after 1277 (since 2021-06-24 10:31:24.099928162 -0600)
Jun 24 11:19:23 MyBookLive logger: exit standby after 8 (since 2021-06-24 11:19:15.695925171 -0600)
Jun 24 11:30:42 MyBookLive logger: exit standby after 74 (since 2021-06-24 11:29:27.123927041 -0600)
Jun 24 11:58:04 MyBookLive logger: exit standby after 1038 (since 2021-06-24 11:40:46.047927807 -0600)
Jun 24 12:22:14 MyBookLive logger: exit standby after 7 (since 2021-06-24 12:22:07.099926010 -0600)
Jun 24 12:58:54 MyBookLive logger: exit standby after 1596 (since 2021-06-24 12:32:18.391927615 -0600)
Jun 24 13:23:41 MyBookLive logger: exit standby after 7 (since 2021-06-24 13:23:34.071917482 -0600)
Jun 24 13:57:37 MyBookLive logger: exit standby after 1432 (since 2021-06-24 13:33:45.391927452 -0600)
Jun 24 14:22:25 MyBookLive logger: exit standby after 8 (since 2021-06-24 14:22:17.911920269 -0600)
Jun 24 14:50:11 MyBookLive logger: exit standby after 1062 (since 2021-06-24 14:32:29.151927538 -0600)
Jun 24 15:29:54 MyBookLive logger: exit standby after 8 (since 2021-06-24 15:29:46.735925381 -0600)
Jun 24 15:44:27 MyBookLive logger: exit standby after 270 (since 2021-06-24 15:39:57.983927849 -0600)
Jun 24 15:58:03 MyBookLive logger: exit standby after 212 (since 2021-06-24 15:54:31.895926890 -0600)
Jun 24 16:20:43 MyBookLive logger: exit standby after 7 (since 2021-06-24 16:20:36.519926600 -0600)
Jun 24 16:35:41 MyBookLive logger: exit standby after 294 (since 2021-06-24 16:30:47.767927359 -0600)
Jun 24 16:58:40 MyBookLive logger: exit standby after 775 (since 2021-06-24 16:45:45.915926879 -0600)
Jun 24 17:24:26 MyBookLive logger: exit standby after 7 (since 2021-06-24 17:24:18.755927054 -0600)
Jun 24 17:58:35 MyBookLive logger: exit standby after 1445 (since 2021-06-24 17:34:30.039927939 -0600)
Jun 24 18:16:24 MyBookLive apache2: 192.168.0.27 WebUI::session_start()
Jun 24 19:00:00 MyBookLive logger: exit standby after 1963 (since 2021-06-24 18:27:17.599927281 -0600)
Jun 24 19:00:05 MyBookLive logger: hostname=MyBookLive
Jun 24 19:00:42 MyBookLive logger: WD NAS: Email alerts REST API failed to return Success
Jun 24 19:00:55 MyBookLive shutdown[15807]: shutting down for system halt
Jun 24 19:01:45 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 24 19:01:48 MyBookLive _: pkg: wd-nas
Jun 24 19:01:48 MyBookLive _: pkg: networking-general
Jun 24 19:01:49 MyBookLive _: pkg: apache-php-webdav
Jun 24 19:01:49 MyBookLive _: pkg: date-time
Jun 24 19:01:49 MyBookLive _: pkg: alerts
Jun 24 19:01:49 MyBookLive _: pkg: admin-rest-api
Jun 24 19:01:50 MyBookLive [admin-rest-api.preinst] 06/25/21 01:01:50: test
Jun 24 19:01:50 MyBookLive [admin-rest-api.preinst] 06/25/21 01:01:50: test()
Jun 24 19:01:50 MyBookLive [admin-rest-api.preinst] 06/25/21 01:01:50: done.
Jun 24 19:01:50 MyBookLive [admin-rest-api.postinst] 06/25/21 01:01:50: test context=test
Jun 24 19:01:50 MyBookLive [admin-rest-api.postinst] 06/25/21 01:01:50: permissions check for //var/www/Admin/webapp/config: PASSED
Jun 24 19:01:50 MyBookLive [admin-rest-api.postinst] 06/25/21 01:01:50: permissions check for /dynamicconfig.ini: FAILED
Jun 24 19:01:51 MyBookLive [admin-rest-api.postinst] 06/25/21 01:01:50: permissions check for //usr/local/nas/orion/: PASSED
Jun 24 19:01:51 MyBookLive [admin-rest-api.postinst] 06/25/21 01:01:50: permissions check for //usr/local/nas/orion//orion.db: PASSED
Jun 24 19:01:51 MyBookLive [admin-rest-api.postinst] 06/25/21 01:01:50: setup test for admin-rest-api: PASSED
Jun 24 19:01:51 MyBookLive [admin-rest-api.postinst] 06/25/21 01:01:51: done.
Jun 24 19:01:51 MyBookLive _: pkg: upnp-nas
Jun 24 19:01:51 MyBookLive _: pkg: dlna-server-access
Jun 24 19:01:51 MyBookLive _: pkg: dlna-server-twonky
Jun 24 19:01:51 MyBookLive _: pkg: itunes
Jun 24 19:01:52 MyBookLive _: pkg: nas-safepoint
Jun 24 19:01:52 MyBookLive _: pkg: webui
Jun 24 19:01:52 MyBookLive _: pkg: orion-resources
Jun 24 19:01:52 MyBookLive _: pkg: afp
Jun 24 19:01:56 MyBookLive S99wdInitFinalize: begin script: start
Jun 24 19:01:56 MyBookLive S99wdInitFinalize: currentRootDevice is set to /dev/md1
Jun 24 19:01:56 MyBookLive S99wdInitFinalize: currentRootDevice = /dev/md1
Jun 24 19:01:56 MyBookLive logger: hostname=MyBookLive
Jun 24 19:01:56 MyBookLive S99wdInitFinalize: Running final checks.. (version 02.43.10-048 on /dev/md1)
Jun 24 19:01:56 MyBookLive S99wdInitFinalize: #-------------------------------------------#
Jun 24 19:01:56 MyBookLive S99wdInitFinalize: System restart: current version is 02.43.10-048
Jun 24 19:01:56 MyBookLive S99wdInitFinalize: #-------------------------------------------#
Jun 24 19:01:56 MyBookLive S99wdInitFinalize: Rotate logs
Jun 24 19:01:56 MyBookLive _: run pkg bootup scripts:
Jun 24 19:01:56 MyBookLive [bootscript_001_networking-general] 06/25/21 01:01:56: ( boot-system  ) begin
Jun 24 19:01:56 MyBookLive logger: hostname=MyBookLive
Jun 24 19:01:56 MyBookLive [bootscript_001_networking-general] 06/25/21 01:01:56: done.
Jun 24 19:01:56 MyBookLive [bootscript_005_wd-nas] 06/25/21 01:01:56: ( boot-system  ) begin
Jun 24 19:01:56 MyBookLive [bootscript_005_wd-nas] 06/25/21 01:01:56: done.
Jun 24 19:01:56 MyBookLive [bootscript_015_webui] 06/25/21 01:01:56: ( boot-system  ) begin
Jun 24 19:01:56 MyBookLive [bootscript_015_webui] 06/25/21 01:01:56: done.
Jun 24 19:01:56 MyBookLive [bootscript_035_nas-safepoint] 06/25/21 01:01:56: ( boot-system  ) begin
Jun 24 19:01:56 MyBookLive [bootscript_035_nas-safepoint] 06/25/21 01:01:56: done.
Jun 24 19:01:57 MyBookLive [bootscript_075_orion-resources] 06/25/21 01:01:57: ( boot-system  ) begin
Jun 24 19:01:57 MyBookLive [bootscript_075_orion-resources] 06/25/21 01:01:57: done.
Jun 24 19:01:57 MyBookLive [bootscript_085_dlna-server-access] 06/25/21 01:01:57: ( boot-system  ) begin
Jun 24 19:01:57 MyBookLive [bootscript_085_dlna-server-access] 06/25/21 01:01:57: done
Jun 24 19:01:57 MyBookLive [bootscript_085_wd-lib] 06/25/21 01:01:57: ( boot-system  ) begin
Jun 24 19:01:57 MyBookLive [bootscript_085_wd-lib] 06/25/21 01:01:57: pkg wd-lib () system boot..
Jun 24 19:01:57 MyBookLive [bootscript_085_wd-lib] 06/25/21 01:01:57: done
Jun 24 19:01:57 MyBookLive apache2: 192.168.0.54 WebUI::session_start()
Jun 24 19:01:57 MyBookLive [bootscript_095_admin-rest-api] 06/25/21 01:01:57: ( boot-system  ) begin
Jun 24 19:01:58 MyBookLive apache2: 192.168.0.54 WebUI::session_start()
Jun 24 19:02:02 MyBookLive apache2: 192.168.0.54 WebUI::session_start()
Jun 24 19:02:03 MyBookLive apache2: 192.168.0.54 WebUI::session_start()
Jun 24 19:02:04 MyBookLive [bootscript_095_admin-rest-api] 06/25/21 01:02:04: done.
Jun 24 19:02:07 MyBookLive logger: /usr/local/sbin/monitorio.sh: waiting for system to become ready..
Jun 24 19:02:13 MyBookLive logger: /usr/local/sbin/monitorio.sh: waiting for system to become ready..
Jun 24 19:02:18 MyBookLive logger: /etc/rc2.d/S86orion: waiting for system to become ready..
Jun 24 19:02:19 MyBookLive : System ready
Jun 24 19:02:23 MyBookLive logger: Starting orion services: miocrawlerd, mediacrawlerd, communicationmanagerd
Jun 24 19:02:41 MyBookLive logger: WD NAS: Email alerts REST API failed to return Success
Jun 24 19:02:41 MyBookLive : Check if new firmware is available

I’m digging through the rest_api.log now and trying to find anything sus, but nothing so far. I’m thinking my previous security safeguards may have stopped me from getting hit or it was just luck of the draw, I dunno. Nonetheless, I was up 24/7 before and during the 23rd, briefly down on the 24th after I freaked out, then had been up and running ever since without issue and running my extra encrypted backups like normal.

I’ve tried some basic pentesting and my MBL doesn’t show up on the WAN. I can access the MBL with my phone via the WD MyCloud app on the LAN, but not the WAN. I suspect that my security measure may have paid off during the attacks on the 23rd and perhaps thereafter, but I dunno.

I don’t want to get off-topic and am not a big fan of conspiracy theories, but I wonder, do you think the death of McAfee and the mass destruction of WD devices are somehow connected? There were many reports and theories of a “dead man switch” that will be activated when he dies (though he said things will be released, not destroyed)

I hope so, at least if people are going to lose their data and we’re all spending time trying to fix our devices it’s because of a famous, drug-addled murderer instead of some rando.

How would I do that? I can’t seem to find it.

MyBookLive:~# ls -la /etc/init.d/auto_update
ls: cannot access /etc/init.d/auto_update: No such file or directory
MyBookLive:~# cat /etc/init.d/auto_update
cat: /etc/init.d/auto_update: No such file or directory

I did find this:

MyBookLive:~# ls -la /etc/cron.d/auto_update
-rw-r--r-- 1 root www-data 115 Jun 24 19:06 /etc/cron.d/auto_update
MyBookLive:~# cat /etc/cron.d/auto_update
00 3 * * * root  /usr/local/sbin/getNewFirmwareUpgrade.sh immediate send_alert; /usr/local/sbin/checkAutoUpdate.sh

And I found this in auto_update.conf via ./current_config/etc in the system report I had previously exported and opened in BBEdit on my computer:

au_enable=disable
au_day=0
au_hour=3

Should I be trying other ssh commands?

Is correct to say that after setting OFF the upnp we cannuse that webpage te see if we’re ok about exposed ports?

WD will not do anything except advise not to use the drive. They’ve known about the vulnerability for years and didn’t do anything so why would they do anything now?

And I see some people are still not clear on something: disabling UPNP on the MBL will not prevent this attack.

My MBL had UPNP disabled and it was compromised. It seems there have been different levels of actual attack penetration, though.

To play it safe, my advice is to remove the drives inside the MBL and discard the enclosure. It is no longer a safe means of backup. WD will not release new firmware for a legacy product. And I’d also advise not replacing your MBL with another WD product. Since this vulnerability was known to WD for years and they didn’t act upon it, how can anybody be sure that the same situation isn’t true of their current product line? It’s nice that WD sent an email out after the attack, when it was too late, but why couldn’t they warn us before it happened, when they learned of this critical vulnerability years ago?

it’s a shame that WD doesn’t make it easy for users to simply cut off all internet functionality on this device. Even with remote access disabled, the MBL is still sending telemetry to WD.

Discard the device and replace it with another NAS. And don’t buy a WD NAS again.

AFAIK you can check regardless. However, you should disable UPnP on your router no matter what because it’s a known security issue.

Those port scanners on your link aren’t very robust and may not show all your open ports. The best thing to do is to run something like nmap from the WAN.

If you want to do it for free and quickly, you can do it with Google Cloud Shell with your Gmail/Google account.

First, check your ip address here and copy it. You may need to disconnect from your VPN or you’ll get the incorrect ip address for your MBL depending on how your home network is set up:

https://whatismyipaddress.com

1. Go here (it’s free)

2. Then click “Go to Console” and sign into your Google account.

3. You are now running a Linux container/instance thingy from the WAN and should see a console open up at the bottom of your browser.

4. In the console install nmap with this command: sudo apt install nmap -y

5. After it installs you can look for open ports with this command: nmap -sT (insert your copied ip address here)

6. If your router blocks the scan, you can ramp it up with this command and wait a while as nmap digs for open ports: nmap -Pn (insert your copied ip address here)

7. Wait a long while maybe several minutes while it tries to find your open ports.

8. If you have open ports it’ll look something like this:

(your username)@cloudshell:~ (my-project-(your project number)$ nmap -Pn (your ip address)
Starting Nmap 7.70 ( https://nmap.org ) at 2021-06-26 00:16 UTC
Nmap scan report for (your ip address)
Host is up (0.062s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE
666/tcp open  john mcafee
667/tcp open  did not
668/tcp open  kill himself

Nmap done: 1 IP address (1 host up) scanned in 94.03 seconds

9. If you have no open ports exposed via your router it’ll look like this:

(your username)@cloudshell:~ (my-project-(your project number)$ nmap -Pn (your ip address)
Starting Nmap 7.70 ( https://nmap.org ) at 2021-06-28 00:24 UTC
Nmap scan report for (your ip address)
Host is up.
All 1000 scanned ports on (your ip address) are filtered

Nmap done: 1 IP address (1 host up) scanned in 201.33 seconds

10. If you have open ports and you don’t need them open, close them. If you have open ports and you know what you are doing, leave them open. Otherwise, you are done.

Also @Skyscape is correct. There’s no good reason to trust a MBL on a network again. Even though you’ll see some of us on here applying a patch to it and hardening our routers to be able to perhaps run it on our LANs, there’s no guarantee there’s not something we’ve missed and we still get hacked.

My MBL is up basically as a guinea pig or ‘canary in a coalmine’ to see if hardening my router and turning off settings on the MBL perhaps will keep the hackers away (for now). I haven’t applied any patches to it so I can see if it works. Granted, my MBL is an expendable extra backup so if I lose the data I’m fine with that.

My other devices on my network are NOT WD devices and are hardened for security so I’m not too concerned they are susceptible from an attack via the WD device (but I could be wrong, of course). I was never apparently hit and still not apparently hit by the hack even though I’m running it 24/7 on my LAN with constant auto backups going to it. So far everything is fine and nothing sus has been found by extensively combing through my logs, etc.

Here’s my set-up before, during and after the hacks that seemed to happen to most people on Jun 23rd:

Remote acces & UPnP: OFF on both router and MBL
Auto Update: It was on up until the 24th when I heard about the hack in the media and then disabled it.
Time Server: ON
SSH: OFF (I only briefly enable it after the 24th to investigate the MBL then I turn it back off again after I’m done each time)
FTP: OFF (always off, I’ve never trusted WD to implement that properly)
Mobile Access: ON (I’m able to reach the MBL with the WD MyCloud phone app on my LAN, but not through the WAN due to my router settings and that’s intentional)

ISP ROUTER/MODEM Settings: Before the 24th, I had NAT enabled and its built-in firewall set to ‘medium’ for whatever that’s worth. No ports manually forwarded at all and UPnP disabled. After I found out about the hack in the media on the 24th, I created a custom port blocking service on the router and applied it to the MBL for whatever that’s worth:

YMMV, of course. As someone else has said in this thread, I’m a noob. So if my ignorant arse can do it, anyone can.

@Skyscape Thank you for confirming that.
This forum is making more progress than WD.