Help! All data in mybook live gone and owner password unknown

I read the one post of the user with the mirrored duo that seemed to have success in retaining the folders etc. Has anyone else had success with this? That would be a dream come true for me.

Sorry to see that you wasted time here among us. But I didn’t realize you had any useful time invested here anyway.

1 Like

More like never again, have the files connected to the internet.

Yes UPNP was enabled on my router, which is likely to be an attack vector. My router is a Linksys WRT1900AC running Linksys firmware. My modem is a Motorola/Arris but not sure of the model number.

1 Like

Mine finished this morning using R Suite. Yes your right. Specific file documents was individual files such as docs jpg and the like. Mine has found a tonne. Checked just before I was going to work at 2am. When I get home later I’ll sit down and see what I have but on a quick preview I saw pictures I knew was on there. Again don’t mind buying the program if it does the job. Best of luck to you :+1:

1 Like

I didn’t scan my ports because my MBL is not on my network now. I had never had remote access enabled on my MBL, nor had I ever attempted to configure it for any remote access. When I first got the MBL, I disabled remote access when I was setting it up, because that was not really needed by me and it also looked like a potential security risk.

Has it been determined if reinstalling the latest firmware on the MBL will write over and remove any malicious code on the drive?

If you are curious how the tunnel works you can look at the following post linked below. I dove into that mechanism 9 years ago.

That may be why I was spared. I had remote access enabled, but I specified my own ports manually (which Orion will register) and did not use the relay mechanism. Anyone trying to access my My Book Live drive would have had to not only scan my IP address, but pick the correct port to connect to. Though Orion does do that mapping, so someone could have scanned all the wd2go domains. It’s possible that’s broken though. I don’t think WD owns the wd2go domain anymore though.

I just connected my WD directly to my MAC via an USB-C to Ethernet adapter and checked and didn’t find any sign of hacking. No crontab, no virus files, no changed files, etc. Considering I have UPNP enabled on my router (though not on the WD drive itself) and I had remote access enabled, I don’t know how I wasn’t hit by this. I guess I was just lucky.

1 Like

Hey Sky, ok but you still missing the Mobile APP, that w2tgo or something like that.
And you can scan your ports anyway, I did it with the MBL On and Off just in case, and the results were that all ports were filtered.
If you got hit by the hacker, try scanning, if your router has some port forwarded you will notice right away.

I performed a scan using ShieldsUP just now with my MBL connected and powered on, and it showed no ports open.

ok but you now have Upnp OFF in your router, right?

Yes it’s off.

ok makes sense now, since you turn it Off but according to other posts from you it was on.
And again, mobile app? WD2go?

I just got WD update email:
Last Updated: June 29, 2021

Western Digital has determined that Internet-connected My Book Live and My Book Live Duo devices are under attack by exploitation of multiple vulnerabilities present in the device. In some cases, the attackers have triggered a factory reset that appears to erase all data on the device.

Data Recovery and Product Trade-In Programs
To help customers who have lost data as a result of these attacks, Western Digital will provide data recovery services, which will be available beginning in July. My Book Live customers will also be offered a trade-in program to upgrade to a supported My Cloud device.

Analysis of Newly Identified Vulnerability CVE-2021-35941
The My Book Live firmware is vulnerable to a remotely exploitable command injection vulnerability when the device has remote access enabled. This vulnerability may be exploited to run arbitrary commands with root privileges. Additionally, the My Book Live is vulnerable to an unauthenticated factory reset operation which allows an attacker to factory reset the device without authentication. The unauthenticated factory reset vulnerability been assigned CVE-2021-35941.

We have heard concerns about the nature of this vulnerability and are sharing technical details to address these questions. We have determined that the unauthenticated factory reset vulnerability was introduced to the My Book Live in April of 2011 as part of a refactor of authentication logic in the device firmware. The refactor centralized the authentication logic into a single file, which is present on the device as includes/component_config.php and contains the authentication type required by each endpoint. In this refactor, the authentication logic in system_factory_restore.php was correctly disabled, but the appropriate authentication type of ADMIN_AUTH_LAN_ALL was not added to component_config.php , resulting in the vulnerability. The same refactor removed authentication logic from other files and correctly added the appropriate authentication type to the component_config.php file.

Analysis of the Attack
We have reviewed log files which we have received from affected customers to understand and characterize the attack. The log files we reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries. Our investigation shows that in some cases, the same attacker exploited both vulnerabilities on the device, as evidenced by the source IP. The first vulnerability was exploited to install a malicious binary on the device, and the second vulnerability was later exploited to reset the device.

On some devices, the attackers installed a trojan with a file named .nttpd,1-ppc-be-t1-z , which is a Linux ELF binary compiled for the PowerPC architecture used by the My Book Live and Live Duo. A sample of this trojan has been captured for further analysis and it has been uploaded to VirusTotal.

Our investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised. As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning. The vulnerabilities being exploited in this attack are limited to the My Book Live series, which was introduced to the market in 2010 and received a final firmware update in 2015. These vulnerabilities do not affect our current My Cloud product family.

Advisory Summary

Immediately disconnect your My Book Live and My Book Live Duo from the Internet to protect your data from ongoing attacks.

For customers who have lost data as a result of these attacks, Western Digital will provide data recovery services. My Book Live users will also be offered a trade-in program to upgrade to a supported My Cloud device. Both programs will be available beginning in July, and details on how to take advantage of these programs will be made available in a separate announcement.

CVE Numbers: CVE-2018-18472 and CVE-2021-35941

2 Likes

I never used any mobile app from WD so I’m not sure what that’s about.

I was able to use ufsexplorer on a My book Live DUO (Mirrored) to recover data with the Folder Structure in tack. There was some data still missing that I recovered using Disk Drill to search for Excel files and then used DocFetcher to index and search them to fix the naming. These methods provided me the best results

Software:

FS Explorer RAID Recovery

Disk Drill Data Recovery Software

DocFetcher

2 Likes

i really need an easy tutorial on how to fix those 2 vulnerabilities… please help.

WD states I’m that announcement that systems with remote access enabled were attacked. That is false. The MBL devices were compromised whether remote access was enabled or not.

Or, are they saying that one of the vulnerabilities needed remote access to be enabled to execute, and the other did not? I wish they were more clear on that.

You would need to block all internet access for the device. Only allow LAN connections. I would check your router for instructions

The first allowed them to find all or most my books and the second allowed them to attack them and factory reset

It looks like some people with the EX2 Ultra were also hit: