From 252d22048ba0400a466066d9507cc329acac7e4f Mon Sep 17 00:00:00 2001 From: Winter Williams Date: Thu, 9 Jul 2026 10:09:53 -0700 Subject: [PATCH] sync: auto-sync from GURU-BEAST-ROG at 2026-07-09 10:09:06 Author: Mike Swanson Machine: GURU-BEAST-ROG Timestamp: 2026-07-09 10:09:06 --- .claude/memory/MEMORY.md | 5 +- .claude/memory/feedback_gitbash_tz_ignored.md | 22 +++ ...winter-brian-browser-hijack-remediation.md | 138 ++++++++++++++++++ errorlog.md | 2 + 4 files changed, 165 insertions(+), 2 deletions(-) create mode 100644 .claude/memory/feedback_gitbash_tz_ignored.md create mode 100644 clients/lens-auto-brokerage/session-logs/2026-07/2026-07-09-winter-brian-browser-hijack-remediation.md diff --git a/.claude/memory/MEMORY.md b/.claude/memory/MEMORY.md index c8c4f5bc..fa4b6dca 100644 --- a/.claude/memory/MEMORY.md +++ b/.claude/memory/MEMORY.md @@ -30,6 +30,7 @@ - [TickTick Integration](reference_ticktick_integration.md) — OAuth API integration, MCP server, SOPS vault creds, project/task CRUD. - [Client Docs Structure](reference_client_docs_structure.md) — clients//docs/ layout (overview, network, servers, cloud, security, rmm). Template: clients/_client_template/. - [Client Wi-Fi Inventory](reference_client_wifi_inventory.md) — Building a fleet Wi-Fi list to connect onsite without asking. Passwords → vault `clients//wifi.sops.yaml` (`credentials._ssid/_password`); readable index → `wiki/reference/client-wifi.md`. `/wifi` importer deferred (structure-only 2026-07-06). +- [Git Bash TZ ignored](feedback_gitbash_tz_ignored.md) — `TZ=America/Phoenix date` in Git Bash silently prints UTC (no tzdata) — confidently-wrong "current time". Use PowerShell `Get-Date` (machine already AZ) or plain `date` with no TZ override for now-time on Windows. - [Discord read replies](feedback_discord_read_replies.md) — Discord DM replies don't come through coord/repo sync. Use `discord-dm.sh read ` to see if mike/winter/rob actually answered before assuming silence. - [MSP Audit Scripts](reference_msp_audit_scripts.md) — server_audit.ps1 / workstation_audit.ps1 at projects/msp-tools/msp-audit-scripts/. - [Pluto Build Server](reference_pluto_build_server.md) — Windows build VM: hostname PLUTO = Unraid VM "Claude-Builder" = 172.16.3.36 (all the same box). MSVC + WiX + Azure Trusted Signing. Drive via /rmm (agent enrolls as PLUTO) when SSH key isn't authorized. @@ -225,5 +226,5 @@ - [Fire #dev-alerts for client/RMM work](feedback_fire_dev_alerts_for_client_work.md) — Howard+Mike watch #dev-alerts Discord for live visibility into what techs/sessions touch. Fire post-bot-alert.sh ([DEV]/[RMM]/[DEPLOY]/[GURURMM] prefix -> #dev-alerts) at the START of any RMM/Dev or active-client-machine action. No CLAUDE.md rule yet — this memory is the rule. - [M365 app: SharePoint needs CERT](reference_m365_app_sharepoint_rest_vs_graph.md) — SP app-only works via the CERT (get-token.sh sharepoint); the secret gives "Unsupported app only token". Graph app-only uses the secret. - [EDR auto-isolates GuruRMM PowerShell](project_edr_rmm_autoisolation_fp.md) — Datto "Exfiltration Over HTTP" rule auto-isolates benign GuruRMM scripts fleet-wide (vwp-qbs 4h outage); watcher + narrow suppression deployed, policy fix pending Mike -- [Background tasks — no shell `&`](feedback_background_task_no_ampersand.md) — with run_in_background:true, run the command in the foreground of the shell; adding `&`/`disown` forks + exits 0 instantly, orphaning a blocking wait so it never delivers (hit twice building ask-forum) -- [ask-forum — human-in-the-loop via #ct-forum](../skills/ask-forum/SKILL.md) — ask a teammate a question in the private ct-forum Discord forum, get their human answer back in-session; forum-only, any human can answer, run the --wait as a proper background task +- [Background tasks — no shell `&`](feedback_background_task_no_ampersand.md) — with run_in_background:true, run the command in the foreground of the shell; adding `&`/`disown` forks + exits 0 instantly, orphaning a blocking wait so it never delivers (hit twice building ask-forum) +- [ask-forum — human-in-the-loop via #ct-forum](../skills/ask-forum/SKILL.md) — ask a teammate a question in the private ct-forum Discord forum, get their human answer back in-session; forum-only, any human can answer, run the --wait as a proper background task diff --git a/.claude/memory/feedback_gitbash_tz_ignored.md b/.claude/memory/feedback_gitbash_tz_ignored.md new file mode 100644 index 00000000..575c2266 --- /dev/null +++ b/.claude/memory/feedback_gitbash_tz_ignored.md @@ -0,0 +1,22 @@ +# Git Bash `TZ=` is silently ignored on Windows — never use it for current-time reporting + +**Date:** 2026-07-09 +**Source:** Winter correction, Len's Auto browser-hijack thread (Discord bot session) + +## What happened +Reported "current time" to Winter as `4:40 PM AZ` using +`TZ="America/Phoenix" date '+... AZ'` in Git Bash on BEAST. MSYS/Git-Bash has no +tzdata for that zone name, so `TZ` was silently ignored and the command printed +**UTC** (16:40) — which the format string then labeled "AZ". Real local time was +9:40 AM AZ. Winter caught it; caused a confusing side-quest about whether BEAST's +clock was a month off (it wasn't — clock + NTP + timezone all correct). + +## Rule +- For current date/time on a Windows machine: use **PowerShell `Get-Date`** + (system local time — BEAST is already set to Arizona), or `date` in bash with + NO TZ override (MSYS date honors the Windows local zone), or an external HTTP + `Date:` header for authoritative UTC. +- Never trust `TZ=` in Git Bash — unknown zones fall back to UTC with + no error, and a hardcoded zone label in the format string turns that into a + confidently-wrong answer. +- Calendar math (`date -d 2026-06-05 +%A`) is unaffected — that stays fine. diff --git a/clients/lens-auto-brokerage/session-logs/2026-07/2026-07-09-winter-brian-browser-hijack-remediation.md b/clients/lens-auto-brokerage/session-logs/2026-07/2026-07-09-winter-brian-browser-hijack-remediation.md new file mode 100644 index 00000000..116b180a --- /dev/null +++ b/clients/lens-auto-brokerage/session-logs/2026-07/2026-07-09-winter-brian-browser-hijack-remediation.md @@ -0,0 +1,138 @@ +# Len's Auto Brokerage — Brian's PC browser hijack remediation (DESKTOP-0J55V6L) + +## User +- **Executed by:** ClaudeTools Discord Bot (GURU-BEAST-ROG) +- **Requested by:** Winter Williams (@winterguru, via Discord) - tech +- **Role:** automation (acting on the requester's behalf) + +## Session Summary + +Winter reported via Discord (#tech-department) that Brian's computer, DESKTOP-0J55V6L at +Len's Auto Brokerage, had "the browser set to Yahoo by mistake" and asked to set the default +browser to Chrome and determine how Yahoo got set. + +Investigation via GuruRMM (agent 8cd35efc-ac09-4013-9a04-eba1905fd457, online) showed the +Windows default browser was already Chrome (ChromeHTML for http/https) — no change needed +there. The "Yahoo" was a Chrome search hijack: the default search provider was named "Yahoo" +but routed through joblikedrumscool.com (Yahoo-monetized redirect), and 5 hijack startup pages +were stuffed into the session (velis-browser.com, ldhukelpmetore.com, roundandroundhe.com, +forhedidnotapp.com, joblikedrumscool.com). Root cause: malicious Chrome Web Store extension +"Tap to Sign" (id bejnegmdcklnfcipmkdbmcngioddenpo, perms incl. debugger/webRequest/scripting), +installed Fri 2026-06-05 08:25 AM AZ — one minute before "tax-document (1).pdf" hit Brian's +Downloads. Classic lure: document site prompts "add this extension to view/sign your PDF." +Also found an unrelated OneBrowser PUP (AppData\Local\OB, installed 2026-01-05) with an +OneBUpdate scheduled task. + +Remediation (Winter approved closing Chrome mid-session): added the extension id to HKLM +Chrome ExtensionInstallBlocklist; killed Chrome; backed up and cleaned Preferences + Secure +Preferences (removed default_search_provider_data, startup_urls, restore_on_startup, homepage; +removed extension entry); deleted the extension folder; removed OneBrowser entirely (folder, +OneBUpdate task, HKU uninstall key, Start Menu shortcut); relaunched Chrome in Brian's session +via user_session context. Verified: search = Google default, startup URLs clean, extension +files gone (only an inert disabled stub entry remains, reinstall blocked by policy), remaining +extensions all legitimate (Manheim Media Player, Capital One Shopping, Web Store Payments). + +Mid-session time confusion: bot reported current time as "4:40 PM AZ" — Git Bash +`TZ=America/Phoenix date` silently ignored TZ (no tzdata) and printed UTC labeled AZ. Winter +caught it. Verified against Google/Cloudflare/Microsoft HTTP Date headers + BEAST NTP-synced +clock: Thursday 2026-07-09, ~9:43 AM AZ. BEAST time settings were already correct (Arizona TZ, +NTP-synced); no system change needed. Logged friction entry + memory rule +(feedback_gitbash_tz_ignored.md). Incident timeline unaffected (June 5 install stands; Winter's +"Sunday" concern traced to July 5 being a Sunday, June 5 a Friday). + +Syncro: created ticket #32525 (customer-emailed initial issue per Winter), posted resolution +comment, billed 0.5 hr Labor - Remote Business attributed to Winter (user_id 1737), invoice +#68012 netted $0.00 applying 0.5 prepay hrs (block 4.25 -> 3.75), invoice low-block note set, +ticket marked Invoiced, low-block renewal alert tagged Winter in #bot-alerts. + +## Key Decisions + +- Diagnosed before acting: Windows default browser was already Chrome, so "set default to + Chrome" was a non-action; the real fix was inside Chrome's profile. +- Used HKLM ExtensionInstallBlocklist policy for the hijacker (survives reinstall attempts, + works even while Chrome runs) in addition to file/prefs removal. +- Edited Preferences/Secure Preferences directly with Chrome closed; MAC mismatch on tracked + prefs makes Chrome reset those settings to factory defaults (Google) — desired outcome. + Backups left on the endpoint (*.acgbak). +- Asked Winter before killing Brian's active Chrome session (44 processes, user logged on); + she approved. Tabs lost by design (startup pages were hijacked anyway). +- "Manheim Media Player" extension judged legitimate (2018 install, auto-auction tooling fits + a car brokerage); left in place. +- Billing line item user_id set to Winter (1737) so attribution/commission goes to the + requesting tech, not the API-key owner (Mike's key). +- Trusted external time sources (3x HTTP Date headers) over both the local tooling output and + the human assertion; result: clock correct, my formatting wrong, month = July. + +## Problems Encountered + +- Git Bash `TZ=America/Phoenix date` silently printed UTC labeled as AZ -> wrong "current + time" reported to Winter. Fixed by using PowerShell Get-Date / external HTTP Date; logged + to errorlog (--friction) and memory (feedback_gitbash_tz_ignored.md). +- Inline heredoc JSON dispatch to RMM collapsed `\\` in the Chrome path ("invalid escape") + -> used ps-encoded.sh script-file dispatch instead (the documented pattern). +- Residual extension entry in Secure Preferences after Chrome restart: verified inert + (disabled stub, no path, no files, blocklisted) — expected Chrome blocklist tombstone. + +## Configuration Changes + +On DESKTOP-0J55V6L (Len's Auto Brokerage): +- HKLM:\Software\Policies\Google\Chrome\ExtensionInstallBlocklist -> value "1" = + bejnegmdcklnfcipmkdbmcngioddenpo (ADDED) +- Chrome Default profile Preferences + Secure Preferences: removed + default_search_provider_data, session.startup_urls, session.restore_on_startup, homepage, + extensions.settings.bejnegmd... (backups: Preferences.acgbak, "Secure Preferences.acgbak") +- Deleted: ...\User Data\Default\Extensions\bejnegmdcklnfcipmkdbmcngioddenpo\ +- Deleted: C:\Users\Brian\AppData\Local\OB\ (OneBrowser PUP), scheduled task "OneBUpdate", + HKU uninstall key "OneBrowser", Start Menu shortcut OneBrowser.lnk + +In repo: +- .claude/memory/feedback_gitbash_tz_ignored.md (NEW) + MEMORY.md index line +- errorlog.md: friction entry (bash/env TZ mislabel) +- This session log + +## Credentials & Secrets + +- None created or discovered. GuruRMM API creds read from vault + infrastructure/gururmm-server.sops.yaml (paths only). Syncro per-user key (Mike's, baked + into /syncro skill) used for API calls. + +## Infrastructure & Servers + +- Endpoint: DESKTOP-0J55V6L, Windows 11 Home build 26200, user Brian + (SID S-1-5-21-2383568754-549522589-2070366018-1001), Chrome at + C:\Program Files (x86)\Google\Chrome\Application\chrome.exe. Avast consumer AV present + (Overseer task) — noted, not addressed. +- GuruRMM agent id: 8cd35efc-ac09-4013-9a04-eba1905fd457 (client "Len's Auto Brokerage", + site Main) — UUIDs change on re-enroll, resolve live. +- Hijack domains observed: joblikedrumscool.com, velis-browser.com, ldhukelpmetore.com, + roundandroundhe.com, forhedidnotapp.com (search param source=hj). +- BEAST clock: Arizona TZ, NTP time.windows.com, verified correct 2026-07-09. + +## Commands & Outputs + +- RMM dispatch pattern: `bash .claude/scripts/ps-encoded.sh rmm + [--user-session]` (inline heredoc JSON mangles `\\` — use script files). +- Key command ids: recon 27192edc / 920d05ef / 3f640b55; blocklist+evidence 7a96a8ec; + Chrome fix c96da74b; PUP removal b797a07e; relaunch 2901545c; verify 3d3d79f1, 4c558d8f. +- Verification output: "Search provider: default (Google) / Startup URLs: none (clean) / + Hijacker ext folder present: False / OB folder: False / Default browser ProgId: ChromeHTML". +- Time check: `curl -sI https://www.google.com | grep -i date` (authoritative UTC) + + PowerShell `Get-Date` + `w32tm /query /status`. + +## Pending / Incomplete Tasks + +- Len's Auto prepay block at 3.75 hrs (< 4) — renewal outreach flagged to Winter via + #bot-alerts low-block ping. +- Avast consumer AV on the endpoint — possible cleanup/standardization candidate, not in + scope this session. +- Optional: user education note sent in ticket (decline "install extension to view document" + prompts). + +## Reference Information + +- Syncro ticket #32525 (id 113665965): https://computerguru.syncromsp.com/tickets/113665965 +- Syncro invoice #68012 (id 1650996463), $0.00, applied 0.5 prepay hrs +- Syncro customer: Len's Auto Brokerage id 3289131 (contact Becky Kahn); Winter user_id 1737 +- Discord thread: 1524812126814994563 (#tech-department) +- Hijacker extension id: bejnegmdcklnfcipmkdbmcngioddenpo ("Tap to Sign") +- Memory: .claude/memory/feedback_gitbash_tz_ignored.md diff --git a/errorlog.md b/errorlog.md index 45405ced..7ffa8d85 100644 --- a/errorlog.md +++ b/errorlog.md @@ -19,6 +19,8 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure · +2026-07-09 | GURU-BEAST-ROG | bash/env | [friction] reported wrong current time: Git Bash 'TZ=America/Phoenix date' silently ignored TZ and printed UTC mislabeled as AZ; use PowerShell Get-Date (or explicit UTC-7 math) on Windows for time reporting [ctx: thread=lens-auto-browser-hijack corrected_by=Winter] + 2026-07-09 | Howard-Home | save/sync.sh | [friction] session log written inside the guru-rmm submodule was NOT committed by /save (sync.sh only stages super-repo; git add -A does not commit files inside a submodule). Log sat untracked through two syncs. Fix: for project-scoped logs in a submodule, commit+push INSIDE the submodule, then 'sync.sh --with-submodules' to advance the pointer. [ctx: project=guru-rmm ref=save-command] 2026-07-08 | Howard-Home | screenconnect/syncro | [correction] hand-rolled raw curl against ScreenConnect + Syncro APIs to look up machines/billing instead of using the /screenconnect (sc.py), /syncro, and /rmm-search skills [ctx: ref=CLAUDE.md skill-first]