NamPoHyu Virus

#1

Hey guys

Last night on my 4TB MyCloud (single bay) device I found most of my files/docs with nampohyu extensions. Thankfully, I have a backup that wasn’t infected but read online that they are targeting ‘Samba servers’ whatever that means. I have 2 laptops at home and they are thoroughly scanned for this. My guess it was an attack remotely. My device was placed in the DMZ on my router which I know totally regret - Currently reformatting the cloud and see what happens - Any advice to protecting this NAS drive? I also have the crappier newer Mycloud Home but its only media files thats already backed up so not really bothered.

Just can’t believe what happened!

#2

Samba is the linux software that enables windows file and print services. (EG, allows the mycloud to function as a NAS.)

While kinda antithetical to the intended role of a MyCloud, you should NEVER have a samba server be exposed to the internet. It just is not safe. Full Stop.

The MyCloud wants to create an encrypted tunnel to do its “Cloud” function, which means being on the open internet. However, they only have a single ethernet interface on these units, and they also function as a NAS, even with the cloud service running. If you have misconfigured your border router, Samba traffic could traverse it, and this is how the servers get infected with these worms. You should block all inbound and outbound ports used by Samba at your router. Full Stop.

#3

Thanks for the technical rundown, what do you suggest to prevent this? don’t have a nas?

#4

Block the ports used by Samba at your router, to ensure that no outbound or inbound traffic can communicate over them.

https://www.samba.org/~tpot/articles/firewall

Or, in a nutshell, block all these ports for both inbound and outbound traffic over the gateway.

UDP ports 137, 138 & TCP ports 137, 139, 445

#5

OK, now for some more detailed exposition:

The protocol used by samba is called SMB, or Server Message Block.
this protocol is “routable” (It is able to traverse a router), and is so for important reasons. Namely, large corporate networks have “departments”, which often need to have traffic isolated. To accomplish this, they set up each department inside its own logical subnet, so that local traffic from that subnet does not go outside it unless called explicitly to do so. However, keeping multiple redundant file servers in each subnet is … Not Optimal. (ahem.) So, in order to keep a single, centralized file server, the traffic from that file server needs to be able to be routed between these subnets so that all users can access it.

This is why SMB is routable.

However, BECAUSE it is routable, it means that there is potential for an outside attacker on the internet to phone up your file server, and start accessing data. (The internet is just a very large assemblage of global subnets; Technologically, it is logically identical to a GIANT corporate network.) Needless to say, SMB assumes a nice, safe local network, not the chaotic den of filth that is the Internet. It was not designed to withstand constant barrages of malicious actors trying to screw your stuff up.

To prevent this communication, you have to put your foot down on it, and deny all communication over the ports used for that kind of traffic, so that it cannot get out of your private network and into the internet, and vise-versa.

That’s where blocking the ports comes in.

#6

Not really bothered with WD cloud on the go (when I’m out) but more importantly I need it as a (LAN) server will it impede this function if I block internet ports?

#7

No. It will only prevent outside actors from connecting to your NAS over the internet. Local network traffic will not experience any blocking.

#8

Thanks for your help brother… much appreciate it. Currently I’m doing a full restore which is taking hours, would this be ‘clean’ of whatever virus I had? or just bin the drive?

#9

If this is a gen2 mycloud, the samba configuration stuff is not persistent. (It gets destroyed when the unit reboots, or powers down, but gets re-created on the fly from some XML files that whatever virus out there probably does not know or care about, every time it powers on.) Likewise with the root file system of the device. (the system executables are all contained either in the initial ramdisk, or in a read only cramfs container that gets mounted early in system boot-- which is again-- read only.)

A full restore should remove any infected files in the user storage area, and you should be fine.

Dunno about a Gen1 mycloud… I dont own one.

#10

How would I know if its a Gen 1? I bought might in Dec 2014 how do I identify it?

#11

Check the firmware version.

2.xxx == Gen2 mycloud

4.xxx == Gen1 mycloud

#12

Won’t know yet till this doorstop does its thing restoring! :frowning: However I think its 4.xxx

#13

If you don’t have access to the Dashboard, look at the P/N number on the bottom of the unit. If the P/N ends with “-00” then it’s a first gen v3.x/v4.x My Cloud. If the P/N ends with “-10” then it is second gen v2.x My Cloud.

As to the initial cause of using DMZ. Don’t!. Just don’t ever put anything into DMZ mode that isn’t a secure device, or that holds sensitive information, or that you don’t want to have exposed to hackers. Anything placed into DMZ mode is fully exposed to anyone on the Internet.

#14

Thanks buddy, I do have access to a dashboard so I ‘assume’ without looking I have a Gen2. Reason I put it in the DMZ is that when I port forward the ■■■■ thing is always saying relay connection!

#15

Spend your effort solving that issue instead of solving the issue the DMZ creates.