Help! All data in mybook live gone and owner password unknown

These last 2 posts is more of what we need.
One thing is that WD say “hey turn off remote access” and other different is “hey pull the plug and upgrade your unit”

So … as previously mentioned, my drive has been affected, and I can’t even log on to it, not even with the original password.

It’s currently powered on, but disconnected from my router.

In simple terms - what do I do now? Just sit tight and wait for the next email from WD?

I would say so yes. As above a tweet has been put out there for you to contact them regarding data recovery

Well that’s apparently not the case as I registered mine nearly 10 years ago and never got an email.

Any chance of a share of the tweet? For those of us that don’t twitter?

The email almost went into my spam folder. It was NOT in my regular inbox folder.

The only way to be impacted if everything is disabled is if the attack came from the LAN, in which case another device is likely compromised.

That or the device was infected before remote access was disabled.

I thought that I lost 20 years of files from my law firm. Last week I contacted WD through their chat line and kept being disconnected when I asked if there was any solution to my MyBook Live factory reset. I then saw on line that Stellar Data Recovery was offering their services free of charge to afflicted MyBook Live owners. I researched the firm and saw that they were a world leader in data recovery. I contacted them and I have never customer support like this. They have proprietary software which recovered my files! It was an arduous process but they worked on my problem 24/7 remotely through my computer! I know WD is offering data recovery services next month, but if you want a quicker more immediate service which is being performed as a service to the MyBook community use Stellar. I have no affiliation with Stellar. They saved my business!

Below is the link for Stellar Data Recovery Toolkit-Windows:

https://www.stellarinfo.com/data-recovery-toolkit.php

4 Likes

In their updated advisory, WD wrote the exact cause of the 0-day exploit CVE-2021-35941 .

Here is the fix:

Edit /var/www/Admin/webapp/includes/component_config.php

Find:

'system_factory_restore' => array('system_configuration/system_factory_restore.php','System_factory_restore'),

Replace:

'system_factory_restore' => array('system_configuration/system_factory_restore.php','System_factory_restore', $ADMIN_AUTH_LAN_ALL ),

Note: When you use nano, don’t get tricked with the syntax highlighting. It looks like //**** is a multi-line-comment, but it is not (weird).

1 Like

Done. I also did your fix from post 406 about the other exploit. Finally, I edited and changed communicationmanagerd to DISABLE in /var/www/Admin/webapp/config/globalconfig.ini as mentioned back a bit in this thread. Did I miss anything, or does this sound like the device is blocked from WAN access?

I was thinking the same. If I had 20 years of files from a law firm (assuming confidential) I don’t think I’m going to let some company I’d never heard of, remote into my computer for anything.

2 Likes

Can you please tell me exactly which change you did in /var/www/Admin/webapp/config/globalconfig.ini ?

My file has following lines:

COMMMANAGERSCRIPT_ENABLE="nohup /usr/orion/communicationmanager/communicationmanagerd enable '' 1>/dev/null &"
COMMMANAGERSCRIPT_DISABLE="/usr/orion/communicationmanager/communicationmanagerd disable ''"

Well, you can Reset it using the recessed pin switch in the back, put your own password back on it, shut off remote access and UPnP as noted, and then just disconnect it again. If you did not have a proper backup in the first place (meaning that you did not have at least TWO copies of your files), you can try to get the files recovered when WD puts out their offering. If you did have a proper backup, you can either re-uses it as a NAS, After you make the needed changes as described or you can use the HDD as a regular drive in a SATA / USB enclosure or as an internal drive in a PC.

Everyone:

If you used your MBL to “back up” your files and DID NOT keep the original files on your computer(s), then YOU DO NOT HAVE A BACKUP. you just moved your files.

1 Like

No worries. It is only factory reset. All data still on hard drive.
If you regular user then use some scan tools for data recovery like “recuva”.
If you advanced user then use EXT3 file system scanner and rebuild file structure based on file system traces, journals and metadata.

Also WD provide data recovery services
Even some WD partners companies provide data recovery services from WD mybook live duo.
here one of them:
https://datarecoveryexpert.ca/WD-My-Book-Live-duo-NAS-data-wiped.html

1 Like

If you used your MBL to “back up” your files and DID NOT keep the original files on your computer(s), then YOU DO NOT HAVE A BACKUP. you just moved your files.

MBL owner for 10 years. They sent me a new one 6 years ago when the NIC died.

Remote was not enabled. Unsure on the other settings. Not sure I even on the latest firmware.
I also installed a new router 2 years ago, so if there was any port forwarding during setup, the new router wouldn’t inherit those settings…that’s my hope.

I called home Monday and had my kid unplug the device, so I don’t know if I’m affected. Anybody have the “connect directly to your PC via ethernet” instructions so I can check on it? Or, since it might have had malicious code on it, should I not connect it at all? Don’t want to send it for data recovery if it’s not affected.

I can’t find the post that mentioned disabling communicationmanagerd in this file right now, so I can’t quote it, and please remember I am NOT very good at this. All I did is change the 1st line you quoted,

COMMMANAGERSCRIPT_ENABLE=“nohup /usr/orion/communicationmanager/communicationmanagerd enable ‘’ 1>/dev/null &”

to

COMMMANAGERSCRIPT_ENABLE=“nohup /usr/orion/communicationmanager/communicationmanagerd disable ‘’ 1>/dev/null &”

I assumed this basically said whether the call is to enable or disable, in both cases to disable. Am I wrong? It doesnt seem to be running at the moment

You should be able to see it without logging into Twitter but here’s a couple of screenshots…


As a side note, when you have recovered your data I would be cautious in trusting the physical disks for any important storage as most are now over 6 years old and will be near failure. If you end up replacing your unit with a new Synology or QNAP I suggest replacing the disks as the disks in the mybook will not be NAS rated and also as above the old disks won’t last as long as your shiny new unit

1 Like

I replied to them on Twitter and asked for confirmation of when we’re likely to hear about the trade in program details.

To be fair they replied very quickly & confirmed that it’s being put together by their team & we will all get an email with the details.

Given the speed of response & the public visibility of any reply posts to them, it may be a better route if you’re looking for a quick response to any questions…

I can tell you now, if the trade in terms are less than flexible or favourable to my wallet, I’m taking my 2 3TB drives out of the MBL’s and will be buying a new bare NAS enclosure from a competitor.

It’s in their court. This is now a serious consumer confidence issue for the brand.

3 Likes