WD MyCloud IDS Security Alert

My Cloud OS 3 My Cloud Single Bay
1

Hello,

I am the network admin for a church. I run a Ubiquiti Unifi network with a UDM Pro Gateway. Our data network is a 10.0.8.0/22 scheme, with the router at 10.0.10.1. One of the employees has a WD MyCloud at 10.0.8.71. Twice every day between 8-9pm I get the following security alert from the UDM’s IDS (based on Suricata):

Threat Management Alert 2: Attempted Information Leak. Signature ET SCAN Non-Allowed Host Tried to Connect to MySQL Server. From: 10.0.8.71:3306, to: 10.0.10.1:60695, protocol: TCP

Each day the two alerts come in at the exact same time, but the time changes from day to day.

I assume this is the WD MyCloud accessing the router to access the internet for legitimate functionality, but I am curious to know if anyone has any more definitive info.

Thanks in advance for any assistance!

2

Is this the My Cloud you have? WDMyCloudImage

3

I believe that is what he has. I have not actually laid eyes on it in quite a while. It is definitely that size, and it is from probably 3 years ago or so.

4

Anyone?

5

Port 3306 is from mysql itself - it’s bind address has probably been commented out. You will have to ssh into the MyCloud:

ssh root@MyCloud
(enter password)
nano /etc/mysql/mysql.conf.d/mysqld.cnf

add (or remove the “#” in front of):

bind-address = 127.0.0.1
Ctrl-o (Write out/save)
Ctrl-x (exit)
/etc/init.d/mysql restart