Hi all, I noticed in my router logs that this external ipaddress 129.253.8.24 is periodically and constantly connecting to my Western Digital 4TB MyCloud drive on port 80. The ARIN whois lookup for 129.253.8.24 says it belongs to the Western Digital domain ipaddress range. I have not configured any open port 80 to my private MyCloud drive and I suspect some sneaky stuff going on here with WD firmware/software UPNP opening up access to my private drive.
I’ve seen old posts mentioning this ipaddress 129.253.8.24 connecting to other port numbers also but no explanation of why it is doing this and what information is it collecting or trying to collect by sneakily accessing our MyCloud drives?
I would like an explanation of why WD is doing this and is it for a legit reason or is it a hacking spying job? Concerned.
Thanks for pointing that out to me as I forgot about those settings. I’ll have to check them and try turning them off to see if the connection attempts stop. I know I do have remote cloud access and auto firmware update enabled but not sure about the other setting at this time. I don’t see a setting for Product Improvement Participation to enable or disable it.
I checked the auto firmware update setting that was enabled and it is only supposed to update at 3:00am per my setting but the external WD ipaddress is constantly connecting to my drive at all various times not just around 3:00am. So that is suspicious. I don’t participate in sending my data to them for Improvement Purposes… so I still can’t explain why they are constantly connecting to my cloud drive. Still concerned.
If you have remote access or the auto firmware update enabled then you have communications with (to and from) WD servers. As such it may be a bit of an overreaction to call such traffic “sneaky” or to infer something nefarious is being done by WD without more analyzing of the traffic, its contents and the time it occurs.
The Product Improvement Participation setting is found in the Support menu choice under the following Dashboard icon:
My Product Improvement Participation setting is set to “off”. Disabled. Thanks for your pointers.
Even though we have remote access turned on… there should not be anyone trying to connect to my private server drive unless it is me trying to access my drive from a remote location. So I said sneaky because we do not know why some outside stranger is attempting these connections constantly to our drive. I see no reason for it. So that’s why I am skeptical and suspicious at this time. If it is for a legit reason, fine. But it does not hurt for me to inquire and expose this access activity just in case it is not a legit access. I have also now filed this same question report to WD mycloud support to see what they say about this ipaddress accessing our drives all the time.
How often is “all the time”? Is there any outgoing traffic from the My Cloud before the incoming traffic from WD? Can you post some of the traffic for others to compare or review?
Try turning off remote access and auto firmware upgrade and see if the traffic continues if not then you have the answer, if so then perhaps WD can provide more information.
I cut and pasted the router log entries that pertain to my WDCloud drive being accessed by WD ipaddress… here are the log entries and the time stamps for you to see it is constantly bombarding my drive with connections all day and night long at approximately 15 minute intervals… I have obfuscated my MyCloud ipaddress for privacy in the log statements before posting it here: See for yourself… is this normal? (Also, no there is no outbound connection from my MyCloud drive before any of these incoming connection attempts).
I’ve disabled all remote access and firmware updates, etc. The external connection attempts have stopped. I don’t see any router log entries after disabling remote access. This still concerns me as to why when remote access is enabled there is an attempt to connect to my http port 80 which as you know pops up a login screen. Since these connection attempts (even though its from a Western Digital domain ipaddress itself) are constantly occurring about 15 or so minutes apart… it can possibly be a rogue insider hacking attempt at constantly retrying to guess my login credentials.
Unless explained by Western Digital why this polling is occurring so frequently I am keeping my remote access disabled.
I am not running WD Sync on a remote computer. But I do have what is called WD Access software installed currently on the PC that I am typing this from. It does not have WD Sync running nor installed that I can see in my task manager and installed programs menus. No other PC’s are running that have WD Sync installed during the times the outside connections are logged. I do have an Android phone that has WD MyCloud installed but it is never running and I don’t use it.
If you are trying to hit my ISP address port 80, yes of course you will get an error because I do not have that port open explicitly. But if UPNP opens the port for WD ipaddress and they come in it is hitting my WD MyCloud port 80 as shown in the router logs I posted to show you all. Port 80 is port 80 on the device and if it hits it, it will get the WD Access login screen.
As previously indicated the My Cloud will not provide the login screen to any computer not on the local network (within the same IP pool). The following is the screen one should get from a remote location when they hit the broadband IP for the My Cloud.
The bottom line is if one is worried about their My Cloud being hacked or is concerned about the traffic from WD servers, then disable Remote Access in the My Cloud Dashboard and or port forward port 80/443 to dead IP addresses within the local network.
You are saying exactly what I was saying. Outside on the WAN side trying to access my port 80 to my WAN ipaddress will not be allowed because the port is not forwarded on my router. Of course that is the case here. But UPNP control points broadcasting the MyCloud url to WD ipaddress(es) of course will cut a hole and make the path into my local network to access MyCloud port 80. And that is what I see is happening. I think these constant connections are UPNP broadcast device update polling intervals related… but so many in such short intervals?
BTW are you a Western Digital employee or just a forum member? I am a professional IT engineer and software developer myself, so know and understand a bit about this stuff… I just want to find out what exactly those connections coming from WD ipaddress every 15 minutes to my server are.
What happens if you disable UPnP on your router (if enabled and or supported)? Does the polling stop?
When the My Cloud I use is configured for “relay mode” (Cloud Access Connection Options set to Auto no port forwarding in router) and because my broadband provided router doesn’t support UPnP the My Cloud is not reachable at all using a web browser. When I port forward 80/443 to the My Cloud and set Cloud Access Connection Options set to Manual the browser traffic is passed to the My Cloud and I get the screen posted above which clearly shows (look at the URL address bar) it is connecting to the My Cloud but the My Cloud is rejecting the connection and not displaying the Dashboard login.
Most people here including myself are NOT Western Digital employees nor are employed any way by WD. We are users like yourself who came here seeking answers and have stayed to help others.
Okay so you are not using UPNP. I am. I pretty sure this must be a UPNP control polling cycle that is connecting to the MyCloud drive. It’s probably safe as I don’t think Western Digital would risk its reputation on being discovered as peeking folks private data. For perspective, if most people look at their router logs (if detailed logging is enabled) they would see all sorts of hacking attempts probing your network. In my router logs I see thousands of DROPPED connection attempts from port scanners probing my WAN ipaddress trying to find an open port and getting into my local network. There are literally hundreds of attempts every minute coming from all over the world like Romania, Australia, China, Canada, USA, to name a few. This world is full of hackers always looking to steal your data. I am security concious.
I am willing to say that the WD ipaddress is not stealing or peeking our private data but probably just a UPNP update probe polling for device status updates.
I’ve reconfigured my network to bridge the ISP router to a personal router running TomatoUSB that has UPnP enabled and I don’t see inbound connections so far (up time about 45 minutes) from 129.253.8.24. I do see several outbound connections (13 so far) to 129.253.8.x addresses but none inbound. This is with the Cloud Access set to Auto. Nor do I get the login page for the Dashboard from a remote connection when hitting my broadband IP. Its not clear if my My Cloud is actually using UPnP however since the Connection Status indicates Connected (Relay connection established). I also do not have any WD software running on my computer.
I am having a major issue here. My Cloud was clearly hacked and all files are still present but cannot be open. Western 192.168.l.254 Digital’s cloud storage devices are still vulnerable to security flaws despite patches issued to fix the bugs, the company has said in a blog post. According to the firm, future updates are being planned to patch the affected products, although it’s unclear how many problems are still outstanding.
OS/3 is woefully obsolete and has been replaced by newer OS/5 firmware.
If your device is exposed to the internet. . . .upgrade to OS/5.
Officially, there was a “final patch” that supposedly turns off “cloud services” on an OS/3 device. . . .but that is not sufficient for protection against many attack vectors.
A much better option is to BLOCK all internet traffic to the WD device FROM THE ROUTER. (i.e. cut all the WD software out of the equation: Use the modem software to simply prevent the device from either contacting, or being contacted by, devices outside your home network)
My ultimate solution for using OS/3 firmware? I use it on a router that has no WAN connection. It’s a bit of a PITA. . .but secure.
