sync: auto-sync from GURU-BEAST-ROG at 2026-07-09 10:09:06
Author: Mike Swanson Machine: GURU-BEAST-ROG Timestamp: 2026-07-09 10:09:06
This commit is contained in:
@@ -30,6 +30,7 @@
|
|||||||
- [TickTick Integration](reference_ticktick_integration.md) — OAuth API integration, MCP server, SOPS vault creds, project/task CRUD.
|
- [TickTick Integration](reference_ticktick_integration.md) — OAuth API integration, MCP server, SOPS vault creds, project/task CRUD.
|
||||||
- [Client Docs Structure](reference_client_docs_structure.md) — clients/<name>/docs/ layout (overview, network, servers, cloud, security, rmm). Template: clients/_client_template/.
|
- [Client Docs Structure](reference_client_docs_structure.md) — clients/<name>/docs/ layout (overview, network, servers, cloud, security, rmm). Template: clients/_client_template/.
|
||||||
- [Client Wi-Fi Inventory](reference_client_wifi_inventory.md) — Building a fleet Wi-Fi list to connect onsite without asking. Passwords → vault `clients/<slug>/wifi.sops.yaml` (`credentials.<key>_ssid/_password`); readable index → `wiki/reference/client-wifi.md`. `/wifi` importer deferred (structure-only 2026-07-06).
|
- [Client Wi-Fi Inventory](reference_client_wifi_inventory.md) — Building a fleet Wi-Fi list to connect onsite without asking. Passwords → vault `clients/<slug>/wifi.sops.yaml` (`credentials.<key>_ssid/_password`); readable index → `wiki/reference/client-wifi.md`. `/wifi` importer deferred (structure-only 2026-07-06).
|
||||||
|
- [Git Bash TZ ignored](feedback_gitbash_tz_ignored.md) — `TZ=America/Phoenix date` in Git Bash silently prints UTC (no tzdata) — confidently-wrong "current time". Use PowerShell `Get-Date` (machine already AZ) or plain `date` with no TZ override for now-time on Windows.
|
||||||
- [Discord read replies](feedback_discord_read_replies.md) — Discord DM replies don't come through coord/repo sync. Use `discord-dm.sh read <user>` to see if mike/winter/rob actually answered before assuming silence.
|
- [Discord read replies](feedback_discord_read_replies.md) — Discord DM replies don't come through coord/repo sync. Use `discord-dm.sh read <user>` to see if mike/winter/rob actually answered before assuming silence.
|
||||||
- [MSP Audit Scripts](reference_msp_audit_scripts.md) — server_audit.ps1 / workstation_audit.ps1 at projects/msp-tools/msp-audit-scripts/.
|
- [MSP Audit Scripts](reference_msp_audit_scripts.md) — server_audit.ps1 / workstation_audit.ps1 at projects/msp-tools/msp-audit-scripts/.
|
||||||
- [Pluto Build Server](reference_pluto_build_server.md) — Windows build VM: hostname PLUTO = Unraid VM "Claude-Builder" = 172.16.3.36 (all the same box). MSVC + WiX + Azure Trusted Signing. Drive via /rmm (agent enrolls as PLUTO) when SSH key isn't authorized.
|
- [Pluto Build Server](reference_pluto_build_server.md) — Windows build VM: hostname PLUTO = Unraid VM "Claude-Builder" = 172.16.3.36 (all the same box). MSVC + WiX + Azure Trusted Signing. Drive via /rmm (agent enrolls as PLUTO) when SSH key isn't authorized.
|
||||||
@@ -225,5 +226,5 @@
|
|||||||
- [Fire #dev-alerts for client/RMM work](feedback_fire_dev_alerts_for_client_work.md) — Howard+Mike watch #dev-alerts Discord for live visibility into what techs/sessions touch. Fire post-bot-alert.sh ([DEV]/[RMM]/[DEPLOY]/[GURURMM] prefix -> #dev-alerts) at the START of any RMM/Dev or active-client-machine action. No CLAUDE.md rule yet — this memory is the rule.
|
- [Fire #dev-alerts for client/RMM work](feedback_fire_dev_alerts_for_client_work.md) — Howard+Mike watch #dev-alerts Discord for live visibility into what techs/sessions touch. Fire post-bot-alert.sh ([DEV]/[RMM]/[DEPLOY]/[GURURMM] prefix -> #dev-alerts) at the START of any RMM/Dev or active-client-machine action. No CLAUDE.md rule yet — this memory is the rule.
|
||||||
- [M365 app: SharePoint needs CERT](reference_m365_app_sharepoint_rest_vs_graph.md) — SP app-only works via the CERT (get-token.sh <tenant> sharepoint); the secret gives "Unsupported app only token". Graph app-only uses the secret.
|
- [M365 app: SharePoint needs CERT](reference_m365_app_sharepoint_rest_vs_graph.md) — SP app-only works via the CERT (get-token.sh <tenant> sharepoint); the secret gives "Unsupported app only token". Graph app-only uses the secret.
|
||||||
- [EDR auto-isolates GuruRMM PowerShell](project_edr_rmm_autoisolation_fp.md) — Datto "Exfiltration Over HTTP" rule auto-isolates benign GuruRMM scripts fleet-wide (vwp-qbs 4h outage); watcher + narrow suppression deployed, policy fix pending Mike
|
- [EDR auto-isolates GuruRMM PowerShell](project_edr_rmm_autoisolation_fp.md) — Datto "Exfiltration Over HTTP" rule auto-isolates benign GuruRMM scripts fleet-wide (vwp-qbs 4h outage); watcher + narrow suppression deployed, policy fix pending Mike
|
||||||
- [Background tasks — no shell `&`](feedback_background_task_no_ampersand.md) — with run_in_background:true, run the command in the foreground of the shell; adding `&`/`disown` forks + exits 0 instantly, orphaning a blocking wait so it never delivers (hit twice building ask-forum)
|
- [Background tasks — no shell `&`](feedback_background_task_no_ampersand.md) — with run_in_background:true, run the command in the foreground of the shell; adding `&`/`disown` forks + exits 0 instantly, orphaning a blocking wait so it never delivers (hit twice building ask-forum)
|
||||||
- [ask-forum — human-in-the-loop via #ct-forum](../skills/ask-forum/SKILL.md) — ask a teammate a question in the private ct-forum Discord forum, get their human answer back in-session; forum-only, any human can answer, run the --wait as a proper background task
|
- [ask-forum — human-in-the-loop via #ct-forum](../skills/ask-forum/SKILL.md) — ask a teammate a question in the private ct-forum Discord forum, get their human answer back in-session; forum-only, any human can answer, run the --wait as a proper background task
|
||||||
|
|||||||
22
.claude/memory/feedback_gitbash_tz_ignored.md
Normal file
22
.claude/memory/feedback_gitbash_tz_ignored.md
Normal file
@@ -0,0 +1,22 @@
|
|||||||
|
# Git Bash `TZ=` is silently ignored on Windows — never use it for current-time reporting
|
||||||
|
|
||||||
|
**Date:** 2026-07-09
|
||||||
|
**Source:** Winter correction, Len's Auto browser-hijack thread (Discord bot session)
|
||||||
|
|
||||||
|
## What happened
|
||||||
|
Reported "current time" to Winter as `4:40 PM AZ` using
|
||||||
|
`TZ="America/Phoenix" date '+... AZ'` in Git Bash on BEAST. MSYS/Git-Bash has no
|
||||||
|
tzdata for that zone name, so `TZ` was silently ignored and the command printed
|
||||||
|
**UTC** (16:40) — which the format string then labeled "AZ". Real local time was
|
||||||
|
9:40 AM AZ. Winter caught it; caused a confusing side-quest about whether BEAST's
|
||||||
|
clock was a month off (it wasn't — clock + NTP + timezone all correct).
|
||||||
|
|
||||||
|
## Rule
|
||||||
|
- For current date/time on a Windows machine: use **PowerShell `Get-Date`**
|
||||||
|
(system local time — BEAST is already set to Arizona), or `date` in bash with
|
||||||
|
NO TZ override (MSYS date honors the Windows local zone), or an external HTTP
|
||||||
|
`Date:` header for authoritative UTC.
|
||||||
|
- Never trust `TZ=<IANA zone>` in Git Bash — unknown zones fall back to UTC with
|
||||||
|
no error, and a hardcoded zone label in the format string turns that into a
|
||||||
|
confidently-wrong answer.
|
||||||
|
- Calendar math (`date -d 2026-06-05 +%A`) is unaffected — that stays fine.
|
||||||
@@ -0,0 +1,138 @@
|
|||||||
|
# Len's Auto Brokerage — Brian's PC browser hijack remediation (DESKTOP-0J55V6L)
|
||||||
|
|
||||||
|
## User
|
||||||
|
- **Executed by:** ClaudeTools Discord Bot (GURU-BEAST-ROG)
|
||||||
|
- **Requested by:** Winter Williams (@winterguru, via Discord) - tech
|
||||||
|
- **Role:** automation (acting on the requester's behalf)
|
||||||
|
|
||||||
|
## Session Summary
|
||||||
|
|
||||||
|
Winter reported via Discord (#tech-department) that Brian's computer, DESKTOP-0J55V6L at
|
||||||
|
Len's Auto Brokerage, had "the browser set to Yahoo by mistake" and asked to set the default
|
||||||
|
browser to Chrome and determine how Yahoo got set.
|
||||||
|
|
||||||
|
Investigation via GuruRMM (agent 8cd35efc-ac09-4013-9a04-eba1905fd457, online) showed the
|
||||||
|
Windows default browser was already Chrome (ChromeHTML for http/https) — no change needed
|
||||||
|
there. The "Yahoo" was a Chrome search hijack: the default search provider was named "Yahoo"
|
||||||
|
but routed through joblikedrumscool.com (Yahoo-monetized redirect), and 5 hijack startup pages
|
||||||
|
were stuffed into the session (velis-browser.com, ldhukelpmetore.com, roundandroundhe.com,
|
||||||
|
forhedidnotapp.com, joblikedrumscool.com). Root cause: malicious Chrome Web Store extension
|
||||||
|
"Tap to Sign" (id bejnegmdcklnfcipmkdbmcngioddenpo, perms incl. debugger/webRequest/scripting),
|
||||||
|
installed Fri 2026-06-05 08:25 AM AZ — one minute before "tax-document (1).pdf" hit Brian's
|
||||||
|
Downloads. Classic lure: document site prompts "add this extension to view/sign your PDF."
|
||||||
|
Also found an unrelated OneBrowser PUP (AppData\Local\OB, installed 2026-01-05) with an
|
||||||
|
OneBUpdate scheduled task.
|
||||||
|
|
||||||
|
Remediation (Winter approved closing Chrome mid-session): added the extension id to HKLM
|
||||||
|
Chrome ExtensionInstallBlocklist; killed Chrome; backed up and cleaned Preferences + Secure
|
||||||
|
Preferences (removed default_search_provider_data, startup_urls, restore_on_startup, homepage;
|
||||||
|
removed extension entry); deleted the extension folder; removed OneBrowser entirely (folder,
|
||||||
|
OneBUpdate task, HKU uninstall key, Start Menu shortcut); relaunched Chrome in Brian's session
|
||||||
|
via user_session context. Verified: search = Google default, startup URLs clean, extension
|
||||||
|
files gone (only an inert disabled stub entry remains, reinstall blocked by policy), remaining
|
||||||
|
extensions all legitimate (Manheim Media Player, Capital One Shopping, Web Store Payments).
|
||||||
|
|
||||||
|
Mid-session time confusion: bot reported current time as "4:40 PM AZ" — Git Bash
|
||||||
|
`TZ=America/Phoenix date` silently ignored TZ (no tzdata) and printed UTC labeled AZ. Winter
|
||||||
|
caught it. Verified against Google/Cloudflare/Microsoft HTTP Date headers + BEAST NTP-synced
|
||||||
|
clock: Thursday 2026-07-09, ~9:43 AM AZ. BEAST time settings were already correct (Arizona TZ,
|
||||||
|
NTP-synced); no system change needed. Logged friction entry + memory rule
|
||||||
|
(feedback_gitbash_tz_ignored.md). Incident timeline unaffected (June 5 install stands; Winter's
|
||||||
|
"Sunday" concern traced to July 5 being a Sunday, June 5 a Friday).
|
||||||
|
|
||||||
|
Syncro: created ticket #32525 (customer-emailed initial issue per Winter), posted resolution
|
||||||
|
comment, billed 0.5 hr Labor - Remote Business attributed to Winter (user_id 1737), invoice
|
||||||
|
#68012 netted $0.00 applying 0.5 prepay hrs (block 4.25 -> 3.75), invoice low-block note set,
|
||||||
|
ticket marked Invoiced, low-block renewal alert tagged Winter in #bot-alerts.
|
||||||
|
|
||||||
|
## Key Decisions
|
||||||
|
|
||||||
|
- Diagnosed before acting: Windows default browser was already Chrome, so "set default to
|
||||||
|
Chrome" was a non-action; the real fix was inside Chrome's profile.
|
||||||
|
- Used HKLM ExtensionInstallBlocklist policy for the hijacker (survives reinstall attempts,
|
||||||
|
works even while Chrome runs) in addition to file/prefs removal.
|
||||||
|
- Edited Preferences/Secure Preferences directly with Chrome closed; MAC mismatch on tracked
|
||||||
|
prefs makes Chrome reset those settings to factory defaults (Google) — desired outcome.
|
||||||
|
Backups left on the endpoint (*.acgbak).
|
||||||
|
- Asked Winter before killing Brian's active Chrome session (44 processes, user logged on);
|
||||||
|
she approved. Tabs lost by design (startup pages were hijacked anyway).
|
||||||
|
- "Manheim Media Player" extension judged legitimate (2018 install, auto-auction tooling fits
|
||||||
|
a car brokerage); left in place.
|
||||||
|
- Billing line item user_id set to Winter (1737) so attribution/commission goes to the
|
||||||
|
requesting tech, not the API-key owner (Mike's key).
|
||||||
|
- Trusted external time sources (3x HTTP Date headers) over both the local tooling output and
|
||||||
|
the human assertion; result: clock correct, my formatting wrong, month = July.
|
||||||
|
|
||||||
|
## Problems Encountered
|
||||||
|
|
||||||
|
- Git Bash `TZ=America/Phoenix date` silently printed UTC labeled as AZ -> wrong "current
|
||||||
|
time" reported to Winter. Fixed by using PowerShell Get-Date / external HTTP Date; logged
|
||||||
|
to errorlog (--friction) and memory (feedback_gitbash_tz_ignored.md).
|
||||||
|
- Inline heredoc JSON dispatch to RMM collapsed `\\` in the Chrome path ("invalid escape")
|
||||||
|
-> used ps-encoded.sh script-file dispatch instead (the documented pattern).
|
||||||
|
- Residual extension entry in Secure Preferences after Chrome restart: verified inert
|
||||||
|
(disabled stub, no path, no files, blocklisted) — expected Chrome blocklist tombstone.
|
||||||
|
|
||||||
|
## Configuration Changes
|
||||||
|
|
||||||
|
On DESKTOP-0J55V6L (Len's Auto Brokerage):
|
||||||
|
- HKLM:\Software\Policies\Google\Chrome\ExtensionInstallBlocklist -> value "1" =
|
||||||
|
bejnegmdcklnfcipmkdbmcngioddenpo (ADDED)
|
||||||
|
- Chrome Default profile Preferences + Secure Preferences: removed
|
||||||
|
default_search_provider_data, session.startup_urls, session.restore_on_startup, homepage,
|
||||||
|
extensions.settings.bejnegmd... (backups: Preferences.acgbak, "Secure Preferences.acgbak")
|
||||||
|
- Deleted: ...\User Data\Default\Extensions\bejnegmdcklnfcipmkdbmcngioddenpo\
|
||||||
|
- Deleted: C:\Users\Brian\AppData\Local\OB\ (OneBrowser PUP), scheduled task "OneBUpdate",
|
||||||
|
HKU uninstall key "OneBrowser", Start Menu shortcut OneBrowser.lnk
|
||||||
|
|
||||||
|
In repo:
|
||||||
|
- .claude/memory/feedback_gitbash_tz_ignored.md (NEW) + MEMORY.md index line
|
||||||
|
- errorlog.md: friction entry (bash/env TZ mislabel)
|
||||||
|
- This session log
|
||||||
|
|
||||||
|
## Credentials & Secrets
|
||||||
|
|
||||||
|
- None created or discovered. GuruRMM API creds read from vault
|
||||||
|
infrastructure/gururmm-server.sops.yaml (paths only). Syncro per-user key (Mike's, baked
|
||||||
|
into /syncro skill) used for API calls.
|
||||||
|
|
||||||
|
## Infrastructure & Servers
|
||||||
|
|
||||||
|
- Endpoint: DESKTOP-0J55V6L, Windows 11 Home build 26200, user Brian
|
||||||
|
(SID S-1-5-21-2383568754-549522589-2070366018-1001), Chrome at
|
||||||
|
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe. Avast consumer AV present
|
||||||
|
(Overseer task) — noted, not addressed.
|
||||||
|
- GuruRMM agent id: 8cd35efc-ac09-4013-9a04-eba1905fd457 (client "Len's Auto Brokerage",
|
||||||
|
site Main) — UUIDs change on re-enroll, resolve live.
|
||||||
|
- Hijack domains observed: joblikedrumscool.com, velis-browser.com, ldhukelpmetore.com,
|
||||||
|
roundandroundhe.com, forhedidnotapp.com (search param source=hj).
|
||||||
|
- BEAST clock: Arizona TZ, NTP time.windows.com, verified correct 2026-07-09.
|
||||||
|
|
||||||
|
## Commands & Outputs
|
||||||
|
|
||||||
|
- RMM dispatch pattern: `bash .claude/scripts/ps-encoded.sh rmm <agent-id> <script.ps1>
|
||||||
|
[--user-session]` (inline heredoc JSON mangles `\\` — use script files).
|
||||||
|
- Key command ids: recon 27192edc / 920d05ef / 3f640b55; blocklist+evidence 7a96a8ec;
|
||||||
|
Chrome fix c96da74b; PUP removal b797a07e; relaunch 2901545c; verify 3d3d79f1, 4c558d8f.
|
||||||
|
- Verification output: "Search provider: default (Google) / Startup URLs: none (clean) /
|
||||||
|
Hijacker ext folder present: False / OB folder: False / Default browser ProgId: ChromeHTML".
|
||||||
|
- Time check: `curl -sI https://www.google.com | grep -i date` (authoritative UTC) +
|
||||||
|
PowerShell `Get-Date` + `w32tm /query /status`.
|
||||||
|
|
||||||
|
## Pending / Incomplete Tasks
|
||||||
|
|
||||||
|
- Len's Auto prepay block at 3.75 hrs (< 4) — renewal outreach flagged to Winter via
|
||||||
|
#bot-alerts low-block ping.
|
||||||
|
- Avast consumer AV on the endpoint — possible cleanup/standardization candidate, not in
|
||||||
|
scope this session.
|
||||||
|
- Optional: user education note sent in ticket (decline "install extension to view document"
|
||||||
|
prompts).
|
||||||
|
|
||||||
|
## Reference Information
|
||||||
|
|
||||||
|
- Syncro ticket #32525 (id 113665965): https://computerguru.syncromsp.com/tickets/113665965
|
||||||
|
- Syncro invoice #68012 (id 1650996463), $0.00, applied 0.5 prepay hrs
|
||||||
|
- Syncro customer: Len's Auto Brokerage id 3289131 (contact Becky Kahn); Winter user_id 1737
|
||||||
|
- Discord thread: 1524812126814994563 (#tech-department)
|
||||||
|
- Hijacker extension id: bejnegmdcklnfcipmkdbmcngioddenpo ("Tap to Sign")
|
||||||
|
- Memory: .claude/memory/feedback_gitbash_tz_ignored.md
|
||||||
@@ -19,6 +19,8 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure ·
|
|||||||
|
|
||||||
<!-- Append entries below this line -->
|
<!-- Append entries below this line -->
|
||||||
|
|
||||||
|
2026-07-09 | GURU-BEAST-ROG | bash/env | [friction] reported wrong current time: Git Bash 'TZ=America/Phoenix date' silently ignored TZ and printed UTC mislabeled as AZ; use PowerShell Get-Date (or explicit UTC-7 math) on Windows for time reporting [ctx: thread=lens-auto-browser-hijack corrected_by=Winter]
|
||||||
|
|
||||||
2026-07-09 | Howard-Home | save/sync.sh | [friction] session log written inside the guru-rmm submodule was NOT committed by /save (sync.sh only stages super-repo; git add -A does not commit files inside a submodule). Log sat untracked through two syncs. Fix: for project-scoped logs in a submodule, commit+push INSIDE the submodule, then 'sync.sh --with-submodules' to advance the pointer. [ctx: project=guru-rmm ref=save-command]
|
2026-07-09 | Howard-Home | save/sync.sh | [friction] session log written inside the guru-rmm submodule was NOT committed by /save (sync.sh only stages super-repo; git add -A does not commit files inside a submodule). Log sat untracked through two syncs. Fix: for project-scoped logs in a submodule, commit+push INSIDE the submodule, then 'sync.sh --with-submodules' to advance the pointer. [ctx: project=guru-rmm ref=save-command]
|
||||||
|
|
||||||
2026-07-08 | Howard-Home | screenconnect/syncro | [correction] hand-rolled raw curl against ScreenConnect + Syncro APIs to look up machines/billing instead of using the /screenconnect (sc.py), /syncro, and /rmm-search skills [ctx: ref=CLAUDE.md skill-first]
|
2026-07-08 | Howard-Home | screenconnect/syncro | [correction] hand-rolled raw curl against ScreenConnect + Syncro APIs to look up machines/billing instead of using the /screenconnect (sc.py), /syncro, and /rmm-search skills [ctx: ref=CLAUDE.md skill-first]
|
||||||
|
|||||||
Reference in New Issue
Block a user