Being a non-wizard… being that I did not lose my data. Is it still possable that it is still infected as part of a botnet? And by copying all the data files to another external unit, I’m just copying that along with it ? Or is it safe to just copy everything over ?
Someone on an old thread suggested
edit the /etc/init.d/orion so it won’t start
I refer to communicationmanagerd
So…being programmatically impaired…lord knows how to do that.
Thank you for the fix!
It looks like WD has a mitigation in place. If someone still has remote access enabled, CommMgr still reaches out to wd2go but the openvpn client fails to setup the tunnel because the wd2go cert is expired.
2 Likes
Here is a summary of what I have done. The 1st 2 files that were fixed is dracenmarx’s code from multiple posts. On another thread I read about something that made me think the 3rd file edit might work, and i’d love for one of you out there who would know tell me if i’m right, or if there’s another way to prevent orion from starting communicationmanagerd.
I don’t encourage anyone to actually listen to me and try it until someone more knowledgeable gives it a seal of approval. Use at your own peril!
change 1:
Edit /var/www/Admin/webapp/includes/languageConfiguration.php
replace:
exec("sudo bash -c '(echo \"language {$changes["language"]}\">/etc/language.conf)'", $output, $retVal);
with:
if (!preg_match('/^[a-z]{2}_[A-Z]{2}$/', $changes["language"], $dummy)) return 'BAD_REQUEST';
exec("sudo bash -c '(echo '\"'\"".escapeshellarg("language {$changes["language"]}")."\"'\"'>/etc/language.conf)'", $output, $retVal);
also find:
exec("sudo bash -c '(echo \"language {$lang["language"]}\">/etc/language.conf)'", $output, $retVal);
replace with:
if (!preg_match('/^[a-z]{2}_[A-Z]{2}$/', $lang["language"], $dummy)) return 'BAD_REQUEST';
exec("sudo bash -c '(echo '\"'\"".escapeshellarg("language {$lang["language"]}")."\"'\"'>/etc/language.conf)'", $output, $retVal);
change 2:
Edit /var/www/Admin/webapp/includes/component_config.php
find:
'system_factory_restore' => array('system_configuration/system_factory_restore.php','System_factory_restore'),
replace with:
'system_factory_restore' => array('system_configuration/system_factory_restore.php','System_factory_restore', $ADMIN_AUTH_LAN_ALL ),
change 3: SEE BELOW BEFORE TRYING STEP 3
commented out autostart of communicationmanagerd (I think):
Edit /etc/init.d/orion
find:
/usr/local/mediacrawler/mediacrawlerd start
/usr/local/orion/communicationmanagerd startup
replace with:
/usr/local/mediacrawler/mediacrawlerd start
// /usr/local/orion/communicationmanagerd startup
Instead of that for step 3 I did this which makes communicationmanagerd unable to execute. So far all seems good:
chmod 644 /usr/local/orion/communicationmanager/communicationmanagerd
And thats it. Hopefully someone who actually knows code confirms my change (change 3) will both prevent communicationmanagerd from starting and also not break anything else. All credit for the rest goes to dracenmarx, with much appreciation for the work. I apologize if any of this is wrong, as I am really just winging it here from reading lots and lots of posts. This is a learning experience for me at this point. Again, wait for someone smart to approve this post before trying it, especially change 3!!
2 Likes
My data is gone too - not a good day
Sorry Darryn, just to have better statistics, when did you suffered the wipe?
How was your MBL setup at that moment? (Remote access activated?)
Thanks
The wipe happened on the 23rd of June
Is there a list to join for notifications for Wester Digital data recovery or keep checking for updates?
I was also looking at this post:
https://community.wd.com/t/runaway-mediacrawler-the-ultimate-solution/58817
I changed the focus from mediacrawler to communicationmanager and found this:
MyBookLive:/usr/local/orion/communicationmanager# ls -all
total 256
drwxrwxr-x 2 root root 4096 May 7 2015 .
drwxrwxr-x 5 root root 4096 May 7 2015 …
-rwxrwxr-x 1 root root 3279 Oct 14 2014 comm_mgr_wd.sh
-rwxrwxr-x 1 root root 232975 Apr 16 2015 communicationmanager
-rwxrwxr-x 1 root root 11806 Dec 4 2014 communicationmanagerd
MyBookLive:/usr/local/orion/communicationmanager#
Would his solution:
(We want to change this file so that nobody can execute it! We want to turn those x’s into dashes.)
current permissions: rwx rwx r-x = 111 101 101 = 755
desired permissions: rw- r-- r-- = 110 100 100 = 644
would this achieve the desired result of preventing communicationmanager from running without obviously breaking anything else?
1 Like
Still after a week being online, but monitored, no attack seem to have been done to mine. No idea if it’s because my mbl is pretty modified, or because I have an older firmware still, or simply because remote access have always been disabled.
1 Like
I thought I would add my info on this.
My MBL did not get reset, or I did not lose any data. I had UPnP disabled, no port forwarding, auto-update disabled, and remote access disable. My drive was even behind a double NAT system too.
The only thing that I found out was it had my old router’s gateway IP address before I changed the gateway IP address when I redid my network. I had my drive with a static IP address for my network.
I have my drive unplug from the internet till I decide what path to go next.
Plus, I have not received any email from WD, but I know did not register the drive too.
1 Like
Dear Western Digital,
With reference to your shameless “Important Announcement About Your WD My Book Live Product” message, you are trying to cover the hack for the whole world as a minor issue. Talking about “some users” , “a few who are using old WD devices”.
WD, wake up. Thousands of families around the world are victim of your policy not solving security issues and not taking responsibility through the years. Of course, the infected NAS equipment were old devices and so on, but are you expecting from your customers to buy a new WD device every 5 years so that your profit maintain at equal level? Do you want to force your customers participating in your management decisions to support shareholders value by just cutting of technical support and ignoring your responsibility to solve security issues in your embedded software? Which devices or services is which you are currently provide will be next on the list of hackers to be attacked as your refusing to provide safe devices and software? How do we, WD customers, know that the current WD devices are safe? Just believing your blue eyes, like in the past, promoting absolute safe and secure WD My Book Live Duo? And trying to tell us with a smile that the hack on 24th of June is a minor security issue and just some of your customers are victims. Just like that?
The public and WD users are not stupid, even you think so, you better come with better stories, facts and figures, tools, support and so on. It will be a very hot summer in defending your image, marketpostition, leaving customers et.
7 Likes
The X means its executable, so the missing x would be the desired result.
This is usually achieved by running the chmod command on the script, and likely requires you to ssh into the device.
I think the command is chmod -x /path/to/file/filename
1 Like
Thank you for your time and effort. Many will benefit from it.
1 Like
I have managed to recover my missing data - this is how I did it. First get the hard drive out of the MBL case. Then plug a 3.5" SATA to USB connector into it (you need a SATA connector with an external 12V dc power supply). Then plug the USB connector into a Windows laptop - the laptop will ask you to reformat the drive as it does not recognise a Linux formatted disk - do not do this !!! Then download and run Photorec and follow the instructions - this will recover any picture files, eg jpg. Photorec is free.
Then download and run Disk Drill to recover eg Word, Powerpoint, Excel etc files - Disk Drill is free for up to 500MB of recovered files. You will have lost file names in some instances - you will have lost folders into which the files were previously sorted - good luck
Hi,
I think I might have dodged the bullet here, but I have to ask some questions just so settle my anxiety. Data loss is scary ■■■■…
My MyBook Duo is not connected directly to the internet, only to my computer. My computer was shut down. When I unplugged the internet cable and started both up, my files where all there. Then I unplugged the MyBook from the computer, and even from the power cable. Connected the internet back to the computer and fired it up. When the computer started, I got the little bubble down to the rigth telling me that “my WD software is up to date!” or something like that. Now I’m afraid to ever plug it in again.
Today I noticed this:
Now I’m totally freaked out. Is this a “fix” from WD or is this actually the thing that will erase my data once I plug them back in?
I am freaking out and I don’t even know if my model is among the affected ones. I bought mine in july 2018:
WD My Book DUO 8TB USB 3.0, Raid 0, 256-bits AES, inkl. WD RED HDD
That is not the attack, it’s safe. And your drive is not affected by this vulnerability - only the My Book Live units. Your device is a USB drive, not a Network Attached Storage unit.
You’re totally safe.
2 Likes
@TruckerJoe So using R-Studio my scan finished and I have 3 “Recognised” sections; primary (Recognized9), primary(Recognized10) and G:(Recognized11). Looking in all three there seems to be the same files in the same type of folder, certainly in the Graphic,Pictures/Jpeg Image area. I assume I just save one lot from one section and not the same files from each of the recognized sections? I have a 1TB HDD standing by in the second bay of my SATA docking station ready to take the files from the WD MBL drive.
I have now implemented all souce file code changes suggested in this post on my NAS, even if it hasnt been compromised the last week. Always best to correct the underlying issues, as much as possible.
Still, I have no remote access or upnp enabled, so if anyone have been affected by these attacks even still is for me a complete mystery. If remote access is disabled, the VPN interfaces doesnt get initalized (verified) and the tunnel doesnt go up, and if manual portforwarding isnt configured on the router then its almost impossible to get to the device behind a normal NAT-router…
Any thoughts in reality?
2 Likes
