Why is my webserver getting what looks like My Cloud device traffic?

dteirney · November 23, 2017, 3:40am

I’m a webmaster for a server hosted at medlineplus.orionhealthcloud.com. I’m seeing a lot of traffic for the following requests that appear related to this WD Cloud service.

GET /api/1.0/rest/device_port_forward/163642?format=xml&rest_method=put&ip=NULL&local_ip=192.168.178.24&forward_port=0&forward_ssl_port=0&device_auth=30c08ba005***********

GET /api/1.0/rest/device_communication/476901?format=xml&external_ip=203.166.240.144&external_port=8085&protocol=HTTP&device_auth=1c0e518023240f64621d***********

Anyone know how I’d get in touch with anyone that knows why my service is being sent traffic from WD Cloud devices (assuming that’s what is generating the traffic).

Thanks!

cpt_paranoia · November 23, 2017, 8:52am

Those appear to be REST transactions. I see nothing that suggests it’s MyCloud specific. REST is not specific to MyCloud:

It could be accidental, or it could be attempts to hack into your server.

dteirney · November 23, 2017, 9:38am

Possibly, but a search of Google for that specific set of REST API paths led me to this community. Specifically. Suddenly can only get relay connection (server problem?) - #7 by Morac

Found other Western Digital posts with the exact same REST API paths as well.

The https://www.wd2go.com domain referenced in that earlier post currently points to an ELB Amazon EC2 instance. Wondering if something has a hardcoded IP address from that domain in the past and our Amazon ELB now has that IP address.

Pretty weird way to try and hack a server by sending REST API requests that are simply 404’ing…

cpt_paranoia · November 23, 2017, 12:34pm

Which particular bit of the GET transactions pointed to that thread? I note that thread is My Book Live, not the MyCloud; different devices, although they can both access the (now defunct) wd2go.com service.

I’m not denying it’s a WD product related transaction; I don’t care either way, as, like almost everyone on this forum, I’m a user, not WD Support. Maybe you should try contacting WD Support?

Morac · November 23, 2017, 2:29pm

That’s definitely a request coming from a WD Drive, though the only way it should go to your web site is if someone modified the files on the drive to change the hardcoded URL to something else.

The IP address the request is coming from is listed (it’s from an Australian ISP, IINet. You might want to try their abuse department.

dteirney · November 24, 2017, 1:22am

Thanks for the suggestions. The traffic we are seeing is from more than just one IP address (that was just a couple of example lines from 100s of thousands). Not a huge amount though - only a couple of hundred unique external_ip parameters have shown up in the logs.

I’ll get in touch with WD support and see what they say.