sync: auto-sync from GURU-BEAST-ROG at 2026-07-09 10:09:06

Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-07-09 10:09:06
This commit is contained in:
Winter Williams
2026-07-09 10:09:53 -07:00
parent b3ea44a8ff
commit 252d22048b
4 changed files with 165 additions and 2 deletions

View File

@@ -30,6 +30,7 @@
- [TickTick Integration](reference_ticktick_integration.md) — OAuth API integration, MCP server, SOPS vault creds, project/task CRUD. - [TickTick Integration](reference_ticktick_integration.md) — OAuth API integration, MCP server, SOPS vault creds, project/task CRUD.
- [Client Docs Structure](reference_client_docs_structure.md) — clients/<name>/docs/ layout (overview, network, servers, cloud, security, rmm). Template: clients/_client_template/. - [Client Docs Structure](reference_client_docs_structure.md) — clients/<name>/docs/ layout (overview, network, servers, cloud, security, rmm). Template: clients/_client_template/.
- [Client Wi-Fi Inventory](reference_client_wifi_inventory.md) — Building a fleet Wi-Fi list to connect onsite without asking. Passwords → vault `clients/<slug>/wifi.sops.yaml` (`credentials.<key>_ssid/_password`); readable index → `wiki/reference/client-wifi.md`. `/wifi` importer deferred (structure-only 2026-07-06). - [Client Wi-Fi Inventory](reference_client_wifi_inventory.md) — Building a fleet Wi-Fi list to connect onsite without asking. Passwords → vault `clients/<slug>/wifi.sops.yaml` (`credentials.<key>_ssid/_password`); readable index → `wiki/reference/client-wifi.md`. `/wifi` importer deferred (structure-only 2026-07-06).
- [Git Bash TZ ignored](feedback_gitbash_tz_ignored.md) — `TZ=America/Phoenix date` in Git Bash silently prints UTC (no tzdata) — confidently-wrong "current time". Use PowerShell `Get-Date` (machine already AZ) or plain `date` with no TZ override for now-time on Windows.
- [Discord read replies](feedback_discord_read_replies.md) — Discord DM replies don't come through coord/repo sync. Use `discord-dm.sh read <user>` to see if mike/winter/rob actually answered before assuming silence. - [Discord read replies](feedback_discord_read_replies.md) — Discord DM replies don't come through coord/repo sync. Use `discord-dm.sh read <user>` to see if mike/winter/rob actually answered before assuming silence.
- [MSP Audit Scripts](reference_msp_audit_scripts.md) — server_audit.ps1 / workstation_audit.ps1 at projects/msp-tools/msp-audit-scripts/. - [MSP Audit Scripts](reference_msp_audit_scripts.md) — server_audit.ps1 / workstation_audit.ps1 at projects/msp-tools/msp-audit-scripts/.
- [Pluto Build Server](reference_pluto_build_server.md) — Windows build VM: hostname PLUTO = Unraid VM "Claude-Builder" = 172.16.3.36 (all the same box). MSVC + WiX + Azure Trusted Signing. Drive via /rmm (agent enrolls as PLUTO) when SSH key isn't authorized. - [Pluto Build Server](reference_pluto_build_server.md) — Windows build VM: hostname PLUTO = Unraid VM "Claude-Builder" = 172.16.3.36 (all the same box). MSVC + WiX + Azure Trusted Signing. Drive via /rmm (agent enrolls as PLUTO) when SSH key isn't authorized.
@@ -225,5 +226,5 @@
- [Fire #dev-alerts for client/RMM work](feedback_fire_dev_alerts_for_client_work.md) — Howard+Mike watch #dev-alerts Discord for live visibility into what techs/sessions touch. Fire post-bot-alert.sh ([DEV]/[RMM]/[DEPLOY]/[GURURMM] prefix -> #dev-alerts) at the START of any RMM/Dev or active-client-machine action. No CLAUDE.md rule yet — this memory is the rule. - [Fire #dev-alerts for client/RMM work](feedback_fire_dev_alerts_for_client_work.md) — Howard+Mike watch #dev-alerts Discord for live visibility into what techs/sessions touch. Fire post-bot-alert.sh ([DEV]/[RMM]/[DEPLOY]/[GURURMM] prefix -> #dev-alerts) at the START of any RMM/Dev or active-client-machine action. No CLAUDE.md rule yet — this memory is the rule.
- [M365 app: SharePoint needs CERT](reference_m365_app_sharepoint_rest_vs_graph.md) — SP app-only works via the CERT (get-token.sh <tenant> sharepoint); the secret gives "Unsupported app only token". Graph app-only uses the secret. - [M365 app: SharePoint needs CERT](reference_m365_app_sharepoint_rest_vs_graph.md) — SP app-only works via the CERT (get-token.sh <tenant> sharepoint); the secret gives "Unsupported app only token". Graph app-only uses the secret.
- [EDR auto-isolates GuruRMM PowerShell](project_edr_rmm_autoisolation_fp.md) — Datto "Exfiltration Over HTTP" rule auto-isolates benign GuruRMM scripts fleet-wide (vwp-qbs 4h outage); watcher + narrow suppression deployed, policy fix pending Mike - [EDR auto-isolates GuruRMM PowerShell](project_edr_rmm_autoisolation_fp.md) — Datto "Exfiltration Over HTTP" rule auto-isolates benign GuruRMM scripts fleet-wide (vwp-qbs 4h outage); watcher + narrow suppression deployed, policy fix pending Mike
- [Background tasks — no shell `&`](feedback_background_task_no_ampersand.md) — with run_in_background:true, run the command in the foreground of the shell; adding `&`/`disown` forks + exits 0 instantly, orphaning a blocking wait so it never delivers (hit twice building ask-forum) - [Background tasks — no shell `&`](feedback_background_task_no_ampersand.md) — with run_in_background:true, run the command in the foreground of the shell; adding `&`/`disown` forks + exits 0 instantly, orphaning a blocking wait so it never delivers (hit twice building ask-forum)
- [ask-forum — human-in-the-loop via #ct-forum](../skills/ask-forum/SKILL.md) — ask a teammate a question in the private ct-forum Discord forum, get their human answer back in-session; forum-only, any human can answer, run the --wait as a proper background task - [ask-forum — human-in-the-loop via #ct-forum](../skills/ask-forum/SKILL.md) — ask a teammate a question in the private ct-forum Discord forum, get their human answer back in-session; forum-only, any human can answer, run the --wait as a proper background task

View File

@@ -0,0 +1,22 @@
# Git Bash `TZ=` is silently ignored on Windows — never use it for current-time reporting
**Date:** 2026-07-09
**Source:** Winter correction, Len's Auto browser-hijack thread (Discord bot session)
## What happened
Reported "current time" to Winter as `4:40 PM AZ` using
`TZ="America/Phoenix" date '+... AZ'` in Git Bash on BEAST. MSYS/Git-Bash has no
tzdata for that zone name, so `TZ` was silently ignored and the command printed
**UTC** (16:40) — which the format string then labeled "AZ". Real local time was
9:40 AM AZ. Winter caught it; caused a confusing side-quest about whether BEAST's
clock was a month off (it wasn't — clock + NTP + timezone all correct).
## Rule
- For current date/time on a Windows machine: use **PowerShell `Get-Date`**
(system local time — BEAST is already set to Arizona), or `date` in bash with
NO TZ override (MSYS date honors the Windows local zone), or an external HTTP
`Date:` header for authoritative UTC.
- Never trust `TZ=<IANA zone>` in Git Bash — unknown zones fall back to UTC with
no error, and a hardcoded zone label in the format string turns that into a
confidently-wrong answer.
- Calendar math (`date -d 2026-06-05 +%A`) is unaffected — that stays fine.

View File

@@ -0,0 +1,138 @@
# Len's Auto Brokerage — Brian's PC browser hijack remediation (DESKTOP-0J55V6L)
## User
- **Executed by:** ClaudeTools Discord Bot (GURU-BEAST-ROG)
- **Requested by:** Winter Williams (@winterguru, via Discord) - tech
- **Role:** automation (acting on the requester's behalf)
## Session Summary
Winter reported via Discord (#tech-department) that Brian's computer, DESKTOP-0J55V6L at
Len's Auto Brokerage, had "the browser set to Yahoo by mistake" and asked to set the default
browser to Chrome and determine how Yahoo got set.
Investigation via GuruRMM (agent 8cd35efc-ac09-4013-9a04-eba1905fd457, online) showed the
Windows default browser was already Chrome (ChromeHTML for http/https) — no change needed
there. The "Yahoo" was a Chrome search hijack: the default search provider was named "Yahoo"
but routed through joblikedrumscool.com (Yahoo-monetized redirect), and 5 hijack startup pages
were stuffed into the session (velis-browser.com, ldhukelpmetore.com, roundandroundhe.com,
forhedidnotapp.com, joblikedrumscool.com). Root cause: malicious Chrome Web Store extension
"Tap to Sign" (id bejnegmdcklnfcipmkdbmcngioddenpo, perms incl. debugger/webRequest/scripting),
installed Fri 2026-06-05 08:25 AM AZ — one minute before "tax-document (1).pdf" hit Brian's
Downloads. Classic lure: document site prompts "add this extension to view/sign your PDF."
Also found an unrelated OneBrowser PUP (AppData\Local\OB, installed 2026-01-05) with an
OneBUpdate scheduled task.
Remediation (Winter approved closing Chrome mid-session): added the extension id to HKLM
Chrome ExtensionInstallBlocklist; killed Chrome; backed up and cleaned Preferences + Secure
Preferences (removed default_search_provider_data, startup_urls, restore_on_startup, homepage;
removed extension entry); deleted the extension folder; removed OneBrowser entirely (folder,
OneBUpdate task, HKU uninstall key, Start Menu shortcut); relaunched Chrome in Brian's session
via user_session context. Verified: search = Google default, startup URLs clean, extension
files gone (only an inert disabled stub entry remains, reinstall blocked by policy), remaining
extensions all legitimate (Manheim Media Player, Capital One Shopping, Web Store Payments).
Mid-session time confusion: bot reported current time as "4:40 PM AZ" — Git Bash
`TZ=America/Phoenix date` silently ignored TZ (no tzdata) and printed UTC labeled AZ. Winter
caught it. Verified against Google/Cloudflare/Microsoft HTTP Date headers + BEAST NTP-synced
clock: Thursday 2026-07-09, ~9:43 AM AZ. BEAST time settings were already correct (Arizona TZ,
NTP-synced); no system change needed. Logged friction entry + memory rule
(feedback_gitbash_tz_ignored.md). Incident timeline unaffected (June 5 install stands; Winter's
"Sunday" concern traced to July 5 being a Sunday, June 5 a Friday).
Syncro: created ticket #32525 (customer-emailed initial issue per Winter), posted resolution
comment, billed 0.5 hr Labor - Remote Business attributed to Winter (user_id 1737), invoice
#68012 netted $0.00 applying 0.5 prepay hrs (block 4.25 -> 3.75), invoice low-block note set,
ticket marked Invoiced, low-block renewal alert tagged Winter in #bot-alerts.
## Key Decisions
- Diagnosed before acting: Windows default browser was already Chrome, so "set default to
Chrome" was a non-action; the real fix was inside Chrome's profile.
- Used HKLM ExtensionInstallBlocklist policy for the hijacker (survives reinstall attempts,
works even while Chrome runs) in addition to file/prefs removal.
- Edited Preferences/Secure Preferences directly with Chrome closed; MAC mismatch on tracked
prefs makes Chrome reset those settings to factory defaults (Google) — desired outcome.
Backups left on the endpoint (*.acgbak).
- Asked Winter before killing Brian's active Chrome session (44 processes, user logged on);
she approved. Tabs lost by design (startup pages were hijacked anyway).
- "Manheim Media Player" extension judged legitimate (2018 install, auto-auction tooling fits
a car brokerage); left in place.
- Billing line item user_id set to Winter (1737) so attribution/commission goes to the
requesting tech, not the API-key owner (Mike's key).
- Trusted external time sources (3x HTTP Date headers) over both the local tooling output and
the human assertion; result: clock correct, my formatting wrong, month = July.
## Problems Encountered
- Git Bash `TZ=America/Phoenix date` silently printed UTC labeled as AZ -> wrong "current
time" reported to Winter. Fixed by using PowerShell Get-Date / external HTTP Date; logged
to errorlog (--friction) and memory (feedback_gitbash_tz_ignored.md).
- Inline heredoc JSON dispatch to RMM collapsed `\\` in the Chrome path ("invalid escape")
-> used ps-encoded.sh script-file dispatch instead (the documented pattern).
- Residual extension entry in Secure Preferences after Chrome restart: verified inert
(disabled stub, no path, no files, blocklisted) — expected Chrome blocklist tombstone.
## Configuration Changes
On DESKTOP-0J55V6L (Len's Auto Brokerage):
- HKLM:\Software\Policies\Google\Chrome\ExtensionInstallBlocklist -> value "1" =
bejnegmdcklnfcipmkdbmcngioddenpo (ADDED)
- Chrome Default profile Preferences + Secure Preferences: removed
default_search_provider_data, session.startup_urls, session.restore_on_startup, homepage,
extensions.settings.bejnegmd... (backups: Preferences.acgbak, "Secure Preferences.acgbak")
- Deleted: ...\User Data\Default\Extensions\bejnegmdcklnfcipmkdbmcngioddenpo\
- Deleted: C:\Users\Brian\AppData\Local\OB\ (OneBrowser PUP), scheduled task "OneBUpdate",
HKU uninstall key "OneBrowser", Start Menu shortcut OneBrowser.lnk
In repo:
- .claude/memory/feedback_gitbash_tz_ignored.md (NEW) + MEMORY.md index line
- errorlog.md: friction entry (bash/env TZ mislabel)
- This session log
## Credentials & Secrets
- None created or discovered. GuruRMM API creds read from vault
infrastructure/gururmm-server.sops.yaml (paths only). Syncro per-user key (Mike's, baked
into /syncro skill) used for API calls.
## Infrastructure & Servers
- Endpoint: DESKTOP-0J55V6L, Windows 11 Home build 26200, user Brian
(SID S-1-5-21-2383568754-549522589-2070366018-1001), Chrome at
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe. Avast consumer AV present
(Overseer task) — noted, not addressed.
- GuruRMM agent id: 8cd35efc-ac09-4013-9a04-eba1905fd457 (client "Len's Auto Brokerage",
site Main) — UUIDs change on re-enroll, resolve live.
- Hijack domains observed: joblikedrumscool.com, velis-browser.com, ldhukelpmetore.com,
roundandroundhe.com, forhedidnotapp.com (search param source=hj).
- BEAST clock: Arizona TZ, NTP time.windows.com, verified correct 2026-07-09.
## Commands & Outputs
- RMM dispatch pattern: `bash .claude/scripts/ps-encoded.sh rmm <agent-id> <script.ps1>
[--user-session]` (inline heredoc JSON mangles `\\` — use script files).
- Key command ids: recon 27192edc / 920d05ef / 3f640b55; blocklist+evidence 7a96a8ec;
Chrome fix c96da74b; PUP removal b797a07e; relaunch 2901545c; verify 3d3d79f1, 4c558d8f.
- Verification output: "Search provider: default (Google) / Startup URLs: none (clean) /
Hijacker ext folder present: False / OB folder: False / Default browser ProgId: ChromeHTML".
- Time check: `curl -sI https://www.google.com | grep -i date` (authoritative UTC) +
PowerShell `Get-Date` + `w32tm /query /status`.
## Pending / Incomplete Tasks
- Len's Auto prepay block at 3.75 hrs (< 4) — renewal outreach flagged to Winter via
#bot-alerts low-block ping.
- Avast consumer AV on the endpoint — possible cleanup/standardization candidate, not in
scope this session.
- Optional: user education note sent in ticket (decline "install extension to view document"
prompts).
## Reference Information
- Syncro ticket #32525 (id 113665965): https://computerguru.syncromsp.com/tickets/113665965
- Syncro invoice #68012 (id 1650996463), $0.00, applied 0.5 prepay hrs
- Syncro customer: Len's Auto Brokerage id 3289131 (contact Becky Kahn); Winter user_id 1737
- Discord thread: 1524812126814994563 (#tech-department)
- Hijacker extension id: bejnegmdcklnfcipmkdbmcngioddenpo ("Tap to Sign")
- Memory: .claude/memory/feedback_gitbash_tz_ignored.md

View File

@@ -19,6 +19,8 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure ·
<!-- Append entries below this line --> <!-- Append entries below this line -->
2026-07-09 | GURU-BEAST-ROG | bash/env | [friction] reported wrong current time: Git Bash 'TZ=America/Phoenix date' silently ignored TZ and printed UTC mislabeled as AZ; use PowerShell Get-Date (or explicit UTC-7 math) on Windows for time reporting [ctx: thread=lens-auto-browser-hijack corrected_by=Winter]
2026-07-09 | Howard-Home | save/sync.sh | [friction] session log written inside the guru-rmm submodule was NOT committed by /save (sync.sh only stages super-repo; git add -A does not commit files inside a submodule). Log sat untracked through two syncs. Fix: for project-scoped logs in a submodule, commit+push INSIDE the submodule, then 'sync.sh --with-submodules' to advance the pointer. [ctx: project=guru-rmm ref=save-command] 2026-07-09 | Howard-Home | save/sync.sh | [friction] session log written inside the guru-rmm submodule was NOT committed by /save (sync.sh only stages super-repo; git add -A does not commit files inside a submodule). Log sat untracked through two syncs. Fix: for project-scoped logs in a submodule, commit+push INSIDE the submodule, then 'sync.sh --with-submodules' to advance the pointer. [ctx: project=guru-rmm ref=save-command]
2026-07-08 | Howard-Home | screenconnect/syncro | [correction] hand-rolled raw curl against ScreenConnect + Syncro APIs to look up machines/billing instead of using the /screenconnect (sc.py), /syncro, and /rmm-search skills [ctx: ref=CLAUDE.md skill-first] 2026-07-08 | Howard-Home | screenconnect/syncro | [correction] hand-rolled raw curl against ScreenConnect + Syncro APIs to look up machines/billing instead of using the /screenconnect (sc.py), /syncro, and /rmm-search skills [ctx: ref=CLAUDE.md skill-first]