Please keep us updated on what happens. I will as well with mine that wasn’t hacked in the first place but I have this setup:
aaaaaand no luck…
DiskInterals crashed my whole System after 36h+ scanning at 90+x% done and an unbelivable huge amount of findings still counting.
Compared to the other tools I tested this is veeeeeeeery slow. Even slower than photorec. And you don’t see what it found until the very end I guess.
All in all (and with the crash…) DiskInterals is out for me. If you want to go free currently recuva would be my Software of choice
1 Like
I’ve tried DiskInternals (windows) and R-Linux (ubuntu) without success. Is EaseUS really a chance? It’s shareware/trial. Not sure if another 15 hour run or even pay more money is worth it, since these tools might do all the same behind the scenes…
they’re crazy - 70 bucks per month or 150 once
Hi does anyone a bit more savvy know if the drive from my MBL will fit in this enclosure?
I’m thinking of the size and the connections…
I’m keeping my fingers crossed with diskinternals partition recovery. From 5pm Saturday until 0130 this morning UK time it was on 50%. That’s connected directly via Sata
Haven’t tried that one yet. recuva is also free and I could recover various images. For large files like videos or PDFs I’ve limited hope. Preview in DiskGenius was something between okay and total mess.
Hope the best for you! My run was from Saturday late Afternoon until this mornig 7:30 when suddenly my System crashed and my fans went wild.
Currently running DMDE 25% which ist waaaaaay faster than DiskInternals and you get an count of your finds while it’s running
Since we have nothing to loose, I gave it a shot. Results look surprisingly good, but it’s too early to judge. It finds quite a lot of different file types and shows previews. Filenames are gone. In the shareware/trial, the preview function is very limited, so I can’t tell for Word and Excel, but it could look good from the very small piece they show. It also seems to run much faster, it estimated about 5-6 houres for me, while the others ran about 15 or more.
I have yet to try any data recovery as I am waiting a big enough disc to recover to. I have found the following entries in my router logs which might suggest that the device was initially compromised on the 18th June but am posting this here for those that will be able to make more sense than I can. Prior to this there are no port scanning entries in my event log.
09:01:44 18 Jun. Port forwarding rule deleted via UPnP/TR064. Protocol: TCP external ports: any->0 internal client: 192.168.1.243
09:01:44 18 Jun. Port forwarding rule deleted via UPnP/TR064. Protocol: TCP external ports: any->0 internal client: 192.168.1.243
08:59:41 18 Jun. DoS(UDP Loopback): IN=ppp1 OUT= MAC= SRC=81.139.56.100 DST=*.*.*.* LEN=146 TOS=0x00 PREC=0x00 TTL=60 ID=18977 PROTO=UDP SPT=53 DPT=7 LEN=126 MARK=0x8000000
08:00:17 18 Jun. DoS(UDP Loopback): IN=ppp1 OUT= MAC= SRC=184.105.139.69 DST=*.*.*.* LEN=29 TOS=0x00 PREC=0x00 TTL=51 ID=49545 DF PROTO=UDP SPT=59252 DPT=19 LEN=9 MARK=0x8000000
07:00:17 18 Jun. DoS(UDP Loopback): IN=ppp1 OUT= MAC= SRC=81.139.56.100 DST=*.*.*.* LEN=147 TOS=0x00 PREC=0x00 TTL=60 ID=15248 PROTO=UDP SPT=53 DPT=19 LEN=127 MARK=0x8000000
07:00:17 18 Jun. DoS(UDP Loopback): IN=ppp1 OUT= MAC= SRC=81.139.57.100 DST=*.*.*.* LEN=147 TOS=0x00 PREC=0x00 TTL=60 ID=26592 PROTO=UDP SPT=53 DPT=19 LEN=127 MARK=0x8000000
03:00:17 18 Jun. DoS(Port Scanning): IN=ppp1 OUT= MAC= SRC=185.212.131.64 DST=*.*.*.* LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=52213 DF PROTO=TCP SPT=37146 DPT=81 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x8000000
03:00:17 18 Jun. DoS(Port Scanning): IN=ppp1 OUT= MAC= SRC=185.212.131.64 DST=*.*.*.* LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=34388 DF PROTO=TCP SPT=51544 DPT=82 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x8000000
03:00:17 18 Jun. DoS(Port Scanning): IN=ppp1 OUT= MAC= SRC=185.212.131.64 DST=*.*.*.* LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=4576 DF PROTO=TCP SPT=46424 DPT=83 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x8000000
03:00:17 18 Jun. DoS(Port Scanning): IN=ppp1 OUT= MAC= SRC=185.212.131.64 DST=*.*.*.* LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=59114 DF PROTO=TCP SPT=54156 DPT=84 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x8000000
03:00:17 18 Jun. DoS(Port Scanning): IN=ppp1 OUT= MAC= SRC=185.212.131.64 DST=*.*.*.* LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=43926 DF PROTO=TCP SPT=35506 DPT=85 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x8000000
03:00:17 18 Jun. DoS(Port Scanning): IN=ppp1 OUT= MAC= SRC=185.212.131.64 DST=*.*.*.* LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=58712 DF PROTO=TCP SPT=50726 DPT=86 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x8000000
03:00:17 18 Jun. DoS(Port Scanning): IN=ppp1 OUT= MAC= SRC=185.212.131.64 DST=*.*.*.* LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=714 DF PROTO=TCP SPT=51068 DPT=88 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x8000000
03:00:17 18 Jun. DoS(Port Scanning): IN=ppp1 OUT= MAC= SRC=185.212.131.64 DST=*.*.*.* LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=60000 DF PROTO=TCP SPT=34106 DPT=89 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x8000000
03:00:17 18 Jun. DoS(Port Scanning): IN=ppp1 OUT= MAC= SRC=185.212.131.64 DST=*.*.*.* LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=26232 DF PROTO=TCP SPT=59564 DPT=90 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x8000000
03:00:17 18 Jun. DoS(Port Scanning): IN=ppp1 OUT= MAC= SRC=185.212.131.64 DST=*.*.*.* LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=19944 DF PROTO=TCP SPT=49324 DPT=91 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x8000000
Maybe we should create a single, central post or page that contains all of the information regarding this situation in one place, or maybe create a public Google Docs page for that. Having all information in one location would help a lot of people, since this thread is getting massive, and I think it would also help us work on any possible solutions.
Myself, I would be very pleased if WD decided to create a firmware for us that simply removes all remote access features and renders the MBL strictly a LAN device, which is how I have always used mine anyway. I say this because I know it’s extremely unlikely that WD would create an updated, full-featured firmware for this device.
On my My Book Live Duo, I reinstalled the latest firmware. I’m hoping that would have removed any possibility that there was malicious code on my drive. As I mentioned earlier, it appears that this attack had different levels of device penetration, probably depending on which features the users had enabled.
Incidentally, WD’s current home flagship product, the My Cloud Expert Series EX2 Ultra has been on the market for over five years now. I wonder how much longer that product will be available, and when WD relegates that to the ‘legacy’ status graveyard.
3 Likes
You need this one 3.5" not 2.5"
I got everything I needed back and then some. Now looking at restoring the lost partitions and making a readable drive with some structure to see if I can 100% restore everything, but really only out of interest!
1 Like
My MBL was also wiped / reset by this bug but fortunately all the data was duplicated in other places.
One aspect that I have noted is that the firmware looks to have been compromised as all my attempts to do a full factory restore failed with no progress indication.
I had to ‘update’ the firmware using the 2015 .deb file from WD (found via the OpenWrt site) before doing the full factory restore then started working!
I doubt I will ever trust the MBL for storing any important data after this event and will probably remove the internal 2TB drive and use it in a USB enclosure instead.
Thanks for mentioning debugfs.
Had failed to mount my drive under linux and debugs fs just appears to handle things.
Looks like my was main drive was not hit as all the files are there.
So happily using debugfs and the rdump command in it to copy everything newer than my last backup
Don’t want to risk booting the nas without making sure first i have everything off it.
cheers
Thank you for your help 
@Hazamel Thank you for the update unfortunate for all of us holding our breaths. Do you have the capability to connect directly to SATA on a desktop?
It’s connected via external USB-Drive to my Desktop. It’s the safer way for me. Connecting it to the internal powersource and sata-ports would have been a mayor wiring. And I don’t want that drive anywhere near my feet 
Yes, I found the very same thing in my network. I removed it but it has me wondering exactly what that is.
Tbh, I’m not sure what think of WD and the MyBook. I bought it, because of the price. It was simple, small, easy to use and didn’t cost that much. But soon I discovered, this company doesn’t care much about customers. It didn’t play most .mkv videos on my Samsung TV. So in in hard research-work I found out there’s something called “Twonky” which is a DLNA-server and this software was outdated from the day I purchased it. So I had to buy a new version from that vendor for USD 20 and install it using putty/telnet, which requires some IT-knowhow.
Now I’m literally shocked to see how ridiculous the set-up is. This device is totally unsecure. In terms of network protection and hardware fail. I’m not sure, if I should buy another NAS or just move to a professional cloud service. If I buy something new, I’d might be from a leading manufacturer like Synology or Qnap. This thing really shouldn’t be sold as a back-up solution using sologans like “put your life on it”…
2 Likes
Qnap just did Firmware-Updates because of Ransomware. And it’s nothing like “works out of the box”. You’ve to dive into the logic behind Raid-Systems and Configuration to use it “the right way”. Don’t be fooled: It’s a professional system. And not just the pricetag is professional.
