This morning when trying to enter Mybook Live it did not work, neither did the user password work, now when entering only the original folders and no information are displayed, I have lost 2 TB of information. And after several days since the first case, WD has not given any real solution to the serious security problem and also no way to recover the information. I also have a Mycloud and since its upgrade to OS5 it has been a disaster …
I have my reciept. I bought it from new egg. I bought almost all of my electronics online, I just log into amazon, new egg, adorama, bh photovideo and there is my receipt. I will log into chat tomorrow and see what support they will give me
Why?
Thankfully, NAS is usually off at night so I escaped the hack. Really feel bad for all the people out there who have suffered. BTW, I have always had remote access off, auto-update off and on the router, upnp also off. Is that enough to be safe? The drive still has internet access though - I don’t know how to limit that. Is there a way to limit the drive just to the local network?
Is there a simple way to tell if the firmware is similarly defective on a first generation WD Cloud?
This post in the forum section on these devices says it may be affected:-
https://community.wd.com/t/does-my-1st-gen-single-bay-my-cloud-share-the-vulnerability-that-is-hitting-my-book-live-devices/268208
I can SSH into it but am not familiar with the required commands.
This doesn’t exactly inspire confidence. 1 week after I took both my MBL’s offline & 6 years since the last Firmware update, I got a message this morning whilst I was using my EX2 on the MYCloud app advising me that both devices were now unsupported & should be taken off line.
Really?
And now with little to no word from WD regarding replacement & trade in or a LAN only fix for these now unsupported devices alongside all sorts of other scary stories regarding the security on my EX2 & the latest firmware on those being potentially compromised, I’m thinking it’s time to leave WD as a customer & go elsewhere.
Which is disappointing. I’ve been brand loyal for 20 years but rendering 2 of my storage devices unusable & a looming threat against my third is totally unacceptable.
Anyone else feeling this way?
Are you listening WD?
1 Like
So disgusted am I that I tweeted this morning…
2 Likes
I need some help from someone.
Apparently, although my MLBD is still intact, I was hacked around the same time as everyone else. My oldest logfile shows that bad actors were trying to access my system via Apache. Now that I’ve shut off access from outside to the MLBD MAC address I appear to be safe for the time being, but am trying to identify the extent of any damage done. All the changes to code on the MLBD in this thread have been implemented.
Thanks to @dracenmarx, I was able to compare my compromised /etc/init.d/apache2 script against an intact one. My file, which was changed around June 23 of this year, had the commands to shutdown apache commented out, so that any calls to apache2ctl to do so would fail silently. But I’m still not convinced that my MBLD is not doing something it shouldn’t.
The output of “ps -eo pid,ppid,lstart,cmd | grep apache2” gives me the following information:
2530 1 Fri Jul 2 12:02:38 2021 /usr/sbin/apache2 -k start
4025 2530 Sat Jul 3 12:05:35 2021 /usr/sbin/apache2 -k start
4026 2530 Sat Jul 3 12:05:35 2021 /usr/sbin/apache2 -k start
So there are 3 apache processes running concurrently, one started by the init process and 2 spawned by apache itself. This concurs with what /etc/apache2/apache2.conf instructs. But in /var/log/apache2/error.log, you see that the apache2 daemon is getting a request to respawn the two processes every 28 minutes.
[Sat Jul 03 12:05:35 2021] [notice] Graceful restart requested, doing restart
[Sat Jul 03 12:05:35 2021] [notice] Digest: generating secret for digest authentication …
[Sat Jul 03 12:05:35 2021] [notice] Digest: done
[Sat Jul 03 12:05:36 2021] [warn] RSA server certificate wildcard CommonName (CN) `*.deviceXXXXXX.wd2go.com’ does NOT match server name!?
[Sat Jul 03 12:05:36 2021] [notice] Apache/2.2.9 (Debian) DAV/2 mod_ssl/2.2.9 OpenSSL/0.9.8zf configured – resuming normal operations
So, my questions are:
- Is anybody else seeing this happening; if not, how often if ever does it happen to you?
- Does anyone have any idea where the interval for respawning is being set? Is it hard-coded in the daemon or is it configurable somewhere, or is there a bad actor active? (my router blocks all incoming and outgoing internet traffic to and from the MAC address of the MBLD).
1 Like
As per my earlier post, given there was very little bandwidth change, I don’t think actually anything was stolen by the hack. But just to be sure Ive gone and done a full password change on all the accounts I can think of.
Might be worth considering for all of you who also got done.
Eat my words and keep in mind: They are true - no excuses.
Lol just received my customer survey how did WD do?
as far as i can see they have done nothing would you trust them with you data in the future?
1 Like
There has been zero updates from 29th… WD July is already here
Can any one recommend a good SATA to USB adaptor? Preferably one that does 2.5" and 3.5" hard drives?
I’m done with these people, I dont want thier discounted upgrade … whatever that is… the most I might even consider is an external usb drive. But that is even doubtful
1 Like
@hellbound0410 did they do something? I got an email response that was a copy of already sent information.
I have used this one.
You need one with external 12V power supply. USB power is not enough.
Sabrent USB 3.0 to SSD/SATA/IDE 2.5/3.5/5.25-INCH Hard Drive Converter with UL Power Supply & LED Activity Lights [10TB Support] (USB-DS12)
1 Like
Hello, the WD Ultra EX2 (Not ultra) models are also affected?
I have used this one.
You need one with external 12V power supply. USB power is not enough.
Sabrent USB 3.0 to SSD/SATA/IDE 2.5/3.5/5.25-INCH Hard Drive Converter with UL Power Supply & LED Activity Lights [10TB Support] (USB-DS12)
