The fix is going to be the replacement device WD will be providing to get things back online. The OS is Compromised and not reasonably fixable
According to Censys:
This code appears to connect to 184.108.40.206 on port 1128 (a payload server), and sends what appears to be a password. The server is expected to respond with more code, which this perl script then executes. As of June 29th, 2021, this server was not responding on that port. The IP address is associated with morewave.com, an ISP out of Canada.
Yeah, that cracked me up too when I noticed that.
I have sent them a question regarding data recovery and how I would get this arranged. Hope to hear back before paying out to recover it myself.
so i’ve blocked internet access to MBL via modem and kept it working inside LAN only… is this enough to keep out of hackers reach ?
Yep also got that - promising but very late.
I hope its ok Ive gone and deconstructed it to get the drive out to get it to a recovery professional in advance of both these offers.
Update - my data recovery guy wasnt able to recover filenames and folders. Raw data is there but said leave it for now as I cant make head nor tail of it meaningfully.
is it enough to connect the MBLD directly via ethernet or do i need to buy a 2bay adapter?
Was this in a raid (mirror)? If yes see my post above, I was able to recover the file and folder structure/names
You would need a 2 bay adapter or dock, I used 2 SATA to USB connectors. bestbuy has a two drive dock for 45 in store if you need it quick
Everyones case may very but I was able to recover 40+ superblocks during my restore. I think it’s worth noting that Deleted does not equal gone forever in most cases. Drives generally keep the data untill it’s overwritten.
I am not in the US but i will find one here in Europe.then.
Was getting crazy with my ingle adapter now i know why.
just to be sure, access via LAN to the MBLD as it is, is not an option, right?
Unfortunately it wasnt - there is a RAID on there but it was a single disc arrangement so its gone. Best option was dswv42 outlined, but i’ll wait for WD now to see what they suggest. Most of my data is backed up elsewhere - what is lost outright here is mostly software programs and ripped DVDs. No real biggie compared to others on here!
Correct you need direct access to the drives. LAN is not an option. Also I HIGHLY recommend not to power the drives on in the enclosure if you want to restore data. The enclosure writes logs and other minor data but that could be overwriting your data
thank you so much. I understand.
last question before going to shop: does it need to be a 2bay station (e.g. FIDECO USB 3.0 Externe Festplatten Dockingstation mit 3 Port, Aluminium Dual Bay HDD Docking Station für HDD/SSD/SSHD or 2.5 und 3.5 Zoll SATA III Offline Klon: Amazon.de: Computer & Zubehör) or can it just be 2 single adapters ( Inateck USB 3.0 zu SATA Konverter Adapter für 2.5/3.5 Zoll Laufwerke HDD SSD mit 12V 2A Netzteil: Amazon.de: Computer & Zubehör)
even Linus talked about this
Interesting find. You can try using the
debugfs command to open the filesystem along with the
-s option to specify the superblock. The block size must also be specified with the
YES! I looks like the EXIF data of photos (JPGs) are still intact. I am surprised and elated!
No reason why it shouldn’t. Some tools iike R-Studio will use the EXIF data to generate filenames.
Generally speaking R-Studio would be the best of those 3
I thought I was going mad! 10+ years of data - boom!
As this is effectively my backup solution, for both Mac and a range of Windows kit, I have ‘lost’ a lot of important data, from personal photo’s to my company receipts and invoices.
WD seem to be suggesting some sort of hack … with my cynical hat on, it seems more like a firmware update gone wrong.
In an email I received today, WD have stated “Although this product family is no longer sold or supported by Western Digital, we know some of our customers have been impacted and we want to help. If you have lost your data as a result of these attacks, we will provide data recovery services which will be available beginning in July”
I genuinely hope this promise will be delivered.
I don’t know how this will work, given my unit is now disconnected from my home network