import: ingested 160 files from C:\Users\howar\Clients
Howard's personal MSP client documentation folder imported into shared
ClaudeTools repo via /import command. Scope:
Clients (structured MSP docs under clients/<name>/docs/):
- anaise (NEW) - 13 files
- cascades-tucson - 47 files merged (existing had only reports/)
- dataforth - 18 files merged (alongside incident reports)
- instrumental-music-center - 14 files merged
- khalsa (NEW) - 22 files, multi-site (camden, river)
- kittle (NEW) - 16 files incl. fix-pdf-preview, gpo-intranet-zone
- lens-auto-brokerage (NEW) - 3 files (name matches SOPS vault)
- _client_template - 13-file scaffold for new clients
MSP tooling (projects/msp-tools/):
- msp-audit-scripts/ - server_audit.ps1, workstation_audit.ps1, README
- utilities/ - clean_printer_ports, win11_upgrade,
screenconnect-toolbox-commands
Credential handling:
- Extracted 1 inline password (Anaise DESKTOP-O8GF4SD / david)
to SOPS vault: clients/anaise/desktop-o8gf4sd.sops.yaml
- Redacted overview.md with vault reference pattern
- Scanned all 160 files for keys/tokens/connection strings -
no other credentials found
Skipped:
- Cascades/.claude/settings.local.json (per-machine config)
- Source-root CLAUDE.md (personal, claudetools has its own)
- scripts/server_audit.ps1 and workstation_audit.ps1 at source root
(identical duplicates of msp-audit-scripts versions)
Memory updates:
- reference_client_docs_structure.md (layout, conventions, active list)
- reference_msp_audit_scripts.md (locations, ScreenConnect 80-char rule)
Session log: session-logs/2026-04-16-howard-client-docs-import.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
61
clients/dataforth/docs/issues/log.md
Normal file
61
clients/dataforth/docs/issues/log.md
Normal file
@@ -0,0 +1,61 @@
|
||||
# Issue Log
|
||||
|
||||
### 2025 — Crypto/Ransomware Attack
|
||||
- **Severity:** Critical
|
||||
- **Symptoms:** Ransomware encryption across network
|
||||
- **Impact:** AD2 wiped and rebuilt. Many files lost including C:\DFWDS\, scheduled tasks, service configs. Test datasheet pipeline (DFWDS.exe, VB6) destroyed.
|
||||
- **Resolution:** AD2 rebuilt. Pre-attack backup exists on HGHAUBNER D: drive. TestDataDB pipeline rebuilt 2026-03-27–29.
|
||||
- **Lessons Learned:** No adequate backup existed. Flat network allowed lateral movement.
|
||||
|
||||
---
|
||||
|
||||
### 2026-03-27 — DF-JOEL2 Workstation Compromise
|
||||
- **Reported By:** Mike Swanson
|
||||
- **Severity:** Critical
|
||||
- **Target:** Joel Lohr's workstation (DF-JOEL2, 192.168.0.174)
|
||||
- **Vector:** Phishing email to personal Yahoo account
|
||||
- **Attacker:** "Angel Raya" via ScreenConnect social engineering
|
||||
- **C2 IPs:** 80.76.49.18, 45.88.91.99 (AS399486, Virtuo, Montreal QC)
|
||||
- **C2 Cloud:** instance-wlb9ga-relay.screenconnect.com
|
||||
- **M365 Impact:** jlohr account compromised from Turkey/UK/Germany
|
||||
- **Resolution:**
|
||||
- C2 IPs blocked at UDM firewall (iptables rules — need permanent UniFi UI rules)
|
||||
- 3 rogue ScreenConnect clients uninstalled
|
||||
- jlohr AD password reset, M365 sessions revoked
|
||||
- 32 machines scanned clean, 28 unreachable (offline)
|
||||
- No lateral movement detected
|
||||
- IC3 Complaint: 1c32ade367084be9acd548f23705736f
|
||||
- ConnectWise Case: 03464184
|
||||
- C2 hosting SUSPENDED by provider
|
||||
- **Follow-up:** Joel Lohr retired 2026-03-31. Auto-reply set to Dan Center.
|
||||
- **Lessons Learned:** Personal email on work machines is a phishing vector. ScreenConnect brand used for social engineering.
|
||||
|
||||
---
|
||||
|
||||
## Known Issues & Risks (from 2026-04-02 audit)
|
||||
|
||||
### Critical
|
||||
- All Windows Firewall profiles **DISABLED** on AD2
|
||||
- Windows 7 machines still on network (LABELPC, LABELPC2, D2-RCVG-003)
|
||||
- AD1 and AD2 are Windows Server 2016 (end of mainstream support)
|
||||
- AD1 C: drive at **90% capacity** (C:\Engineering = 787 GB)
|
||||
|
||||
### High
|
||||
- Joel Lohr account (jlohr) needs to be disabled post-retirement (March 31) — **OVERDUE**
|
||||
- 28 machines not scanned during security incident (were offline)
|
||||
- C2 IP blocks are iptables rules on UDM — need permanent UniFi UI rules
|
||||
- No reverse DNS zone for 192.168.0.x
|
||||
- MFA enforcement deadline April 4, 2026 — 19 users still need to register
|
||||
- Website upload mechanism broken (old ASP.NET endpoints return 404)
|
||||
|
||||
### Medium
|
||||
- D2TESTNAS uses root SSH with password authentication
|
||||
- Multiple DESKTOP-* computer names suggest unmanaged/BYOD devices
|
||||
- ~845K test records pending ForWeb export
|
||||
- Some computer accounts have stale/conflicting IP addresses
|
||||
- TestDataDB Server scheduled task still exists (disabled, replaced by service)
|
||||
|
||||
### Low
|
||||
- DVD ISO still mounted on AD2 D: drive
|
||||
- ClaudeTools-ReadOnly AD account — purpose unclear
|
||||
- Multiple duplicate/old computer accounts in AD
|
||||
Reference in New Issue
Block a user