sync: auto-sync from GURU-5070 at 2026-07-02 17:34:37
Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-07-02 17:34:37
This commit is contained in:
@@ -0,0 +1,96 @@
|
||||
# Session Log — 2026-07-02 — Multi-client: PST deletion reports, EZ Fast tag cleanup, UniFi adoption debugging, Bardach account check
|
||||
|
||||
## User
|
||||
- **User:** Mike Swanson (mike)
|
||||
- **Machine:** GURU-5070
|
||||
- **Role:** admin
|
||||
|
||||
## Session Summary
|
||||
|
||||
Four distinct work streams across one session. First, Peaceful Spirit: answered Mara's request for a "recycle bin + deny delete" NTFS design (not possible as specified — same-volume move IS a delete on NTFS; the existing Admin1 deny already breaks rename/save patterns). Verified the Option-2 alternative was already fully deployed on PST-SERVER: VSS shadow copies on G: (~4 snapshots/day, 69.8 GB cap, snapshots back to 6/28) and NTFS delete-auditing (File System Success+Failure policy; SACL Everyone/Delete+DC/Success on G:\Shares\Scanned). Then built the requested daily "deleted/moved files" report: PowerShell script on PST-SERVER correlating Security events 4663/4660, classifying Deleted vs Renamed-or-moved, writing per-day HTML to `G:\Shares\Scanned\_Deletion Reports`, scheduled task at 6:30 AM (verified live — first run result 0).
|
||||
|
||||
Second, EZ Fast Auto Glass: Jon's thrice-repeated "install Google tag" request (auto-ticket #32494). Found the tag installed in triplicate (IHAF plugin + hardcoded twice in theme) plus a foreign Google Ads tag AW-18119014236 served by Site Kit's Ads module (the "Ace Pickup Parts" conflict), while Google for WooCommerce already had a correct ENABLED purchase conversion action on Jon's real account AW-881146628. Cleaned up to exactly one GA4 + one Ads config; deliberately did NOT add the emailed event snippet (would double-count purchases vs the GLA plugin action). Discovered mid-work that WP user jshailer was simultaneously publishing his own WPCode snippet copy (kept his as the single source) and that 90 failed wp-admin logins hit today from a Google Cloud IP (34.148.61.x) against users jshailer/guruadmin — consistent with the "AI shared browser session" service in Jon's email; flagged in ticket. Created ticket #32495 (public+emailed detail), billed 1.0h remote ($150, invoice #67981), Resolved; cross-ref note left on #32494 for Winter.
|
||||
|
||||
Third, UniFi adoption debugging while Mike onsite at Taylen, John (Starlink egress 98.97.118.40). Proved the office edge is healthy end-to-end: 8080 forward is direct pfSense→UOS (172.16.3.29), NOT via NPM (80/443 only go to NPM); 476 live NAT states on the VIP:8080. Root causes found: (a) Mike's new USW-Lite-8-PoE on firmware 6.4.19 got silent HTTP 404 on /inform (protocol too old for Network 10.4.57) — fix = upgrade to 7.4.1 via fw-update API URL; (b) post-upgrade it informed with defaultAuthKey=false despite being new-in-box — likely UniFi app/Bluetooth auto-claim; fix = factory reset + set-inform; (c) his two APs adopted cleanly into "Taylen, John" (16:04/16:08); (d) located mystery device 28:70:4e:32:59:24 by tcpdump on the UOS VM NIC: a USW Pro Max 16 PoE named "3rdfloorreplacmentUSWProMax16Po" physically at the office with stale static IP 192.168.1.20, DHCP-begging + broadcasting discovery (why it shows "needs assignment" on all sites). Also identified 4 other devices fleet-wide stuck in inform-decrypt-failure loops needing factory resets.
|
||||
|
||||
Fourth, Bardach: full 10-point breach check on barbara@bardach.net (Authenticator "behaving crazy"). Account clean — no forwarding/hidden rules/delegates, only OAuth is zipForm Plus, 0 risk detections. Today's audit trail (MFA change 21:19 UTC + WHfB enrollment 21:24 on BCB-OFFICE26) matched her own re-enrollment after Windows Hello forgot her. Her screenshots pinned the real fault: TOTP codes rejected across multiple sites = iPhone clock drift (fix: Date & Time Set Automatically toggle). Report at clients/bardach/reports/2026-07-02-barbara-account-check.md. Tenant has no Entra P1 — no sign-in log visibility.
|
||||
|
||||
## Key Decisions
|
||||
|
||||
- **PST recycle-bin design rejected on NTFS grounds:** same-volume move requires Delete on source, so deny-delete kills the move-to-trash workflow too; extended Admin2 deny would break Mara's own accounts. Recommended (already-deployed) VSS + auditing instead; third-party Undelete Server is the only true bin if wanted.
|
||||
- **Deletion report delivery = HTML file in the share** (`_Deletion Reports` inside Scanned) rather than email — no client mail infrastructure; Mara opens the share daily. Visibility-to-staff flagged as an open choice.
|
||||
- **25h report window** (1h overlap) so a late task start can't create a coverage gap; dedupe by user|action|path|second to kill duplicate-handle rows.
|
||||
- **EZ Fast: kept jshailer's fresh WPCode snippet as the single gtag source** (he published it mid-session; removing it would have confused active work) and cleared the older IHAF copy + theme hardcodes instead.
|
||||
- **Did NOT install the emailed purchase event snippet** — GLA plugin already has an ENABLED purchase conversion action on AW-881146628; a second action would double-count. Left Site Kit analytics-4 (different GA4 property G-GKQ4P6N990, created 6/24) in place pending confirmation with Jon's marketing guy.
|
||||
- **Created new ticket #32495 instead of reusing auto-ticket #32494** per Mike's instruction; cross-referenced #32494 (Winter's) as closable duplicate.
|
||||
- **UniFi 404-on-inform diagnosed as firmware-age protocol rejection** (junk POST → 400 proved endpoint fine; other devices 200; his well-formed inform 404 = content-based refusal).
|
||||
- **tcpdump over ping-sweep for locating LAN UniFi gear** — ARP came up empty because the device has a wrong-subnet static IP; L2 sniff of discovery broadcasts (UDP 10001) found it and decoded model/hostname/IP from payload.
|
||||
- **Bardach: no remediation performed** — evidence pointed to self-inflicted re-enrollment + phone clock drift, not compromise; password rotation offered only if the 2:19 PM changes weren't hers (they were).
|
||||
|
||||
## Problems Encountered
|
||||
|
||||
- **Foreground `sleep` blocked by harness** when waiting for the 6:30 AM task trigger — switched to a background script (`run_in_background`) that sleeps then verifies; notification-driven.
|
||||
- **Env vars don't persist between Bash calls** — a poll loop referenced $RMM/$TOKEN from a prior call and died (exit 3). Logged to errorlog (--friction). Re-auth inline per call.
|
||||
- **`pfctl -sn | grep 8080` false negative** — pfctl renders 8080 as `http-alt` and alias targets as `<Unifi_Server>` table refs; grep for the service name/table, or use pf-list + `pfctl -t <alias> -T show`.
|
||||
- **`tcpdump -i any` can't do ether filters** (SLL2) — must bind a real interface (enp1s0).
|
||||
- **remediation-tool scripts failed on this machine** — `~/.claude/identity.json` lacks vault_path; fixed by exporting `CLAUDETOOLS_ROOT=/d/ClaudeTools VAULT_ROOT_ENV=D:/vault` inline.
|
||||
- **Graph signIns 403/throttle** — first call throttled (misread as 0 sign-ins by the script summary), retry revealed the real blocker: tenant has no Entra ID P1 (`Authentication_RequestFromNonPremiumTenantOrB2CTenant`).
|
||||
- **`wp` not on sudo PATH on ix** (`sudo -u ezfastautoglass wp` fails) — use `wp --allow-root --path=...`.
|
||||
- **UOS mongo `--find-mac` initially missed context**: the "22nd St" user-table hit was the office site itself; device had left that record stale while still physically present.
|
||||
|
||||
## Configuration Changes
|
||||
|
||||
- **PST-SERVER (Peaceful Spirit):**
|
||||
- Created `C:\PST-Tools\PST-DeletionReport.ps1` (4,468 bytes, Security-log 4663/4660 correlation → daily HTML report; 90-day retention; excludes SYSTEM/machine accounts and the report folder itself).
|
||||
- Registered scheduled task **"PST Deletion Report (Daily)"** — 6:30 AM, SYSTEM, StartWhenAvailable, 30-min limit. Verified: ran 7/2 6:30:30 AM, result 0.
|
||||
- Created `G:\Shares\Scanned\_Deletion Reports\` (reports: Deletion-Report-2026-07-02.html).
|
||||
- **ix server / ezfastautoglass.com (WordPress):**
|
||||
- Removed hardcoded gtag blocks (G-JW396EGJKB) from `wp-content/themes/ezfastautoglass/header.php` + `header-home.php`.
|
||||
- `googlesitekit_active_modules`: removed `ads` (kills AW-18119014236 injection). Now `["pagespeed-insights","analytics-4","sign-in-with-google"]`.
|
||||
- Cleared `ihaf_insert_header` option (old duplicate gtag).
|
||||
- Backups: `/root/ezfag-tag-cleanup-20260702/` (header.php.bak, header-home.php.bak, googlesitekit_active_modules.json, googlesitekit_ads_settings.json, ihaf_insert_header.txt).
|
||||
- **UOS VM (172.16.3.29):** installed `tcpdump` (dnf).
|
||||
- **Repo:** `clients/bardach/reports/2026-07-02-barbara-account-check.md` (new).
|
||||
|
||||
## Credentials & Secrets
|
||||
|
||||
- None newly created or discovered. All access via existing vault creds (gururmm-server, pfsense-firewall infra cred, uos-server-ssh-key, remediation-tool app certs, Syncro per-user key).
|
||||
|
||||
## Infrastructure & Servers
|
||||
|
||||
- **PST-SERVER** 192.168.0.2 (agent 87293069-33b6-45e8-a68f-6811216cdb96): VSS on G: 69.8GB cap ~4 snaps/day (6a/12p/1p/6p); audit policy File System = Success+Failure; SACL Everyone Delete+DC Success on G:\Shares\Scanned; Security log max 128 MB.
|
||||
- **ix.azcomputerguru.com** (172.16.3.10): ezfastautoglass cPanel acct, WP 7.0 + WooCommerce 10.9.1 + Site Kit 1.182.0 at /home/ezfastautoglass/public_html. Site Kit GA4 property G-GKQ4P6N990 (accountID 399076353, created 6/24) — ownership unconfirmed. GTM-P65RFT container = conversion-linker only.
|
||||
- **UOS server** 172.16.3.29: inform :8080 healthy; ~49 sites. Site "Taylen, John" gained 2 APs 7/2 (90:41:b2:00:db:8b "Main House" UAPA693; 8c:ed:e1:ec:1d:0a UAPA69E), LAN 192.168.137.x, egress 98.97.118.40 (Starlink).
|
||||
- **Office pfSense** 172.16.0.1 (SSH :2248): WAN igc0 98.181.90.163 + VIPs 70.175.28.51-57, 72.194.62.2-10. unifi.azcomputerguru.com = 72.194.62.10. Forwards: 80→NPM:1880, 443→NPM:18443, 8080/8880/6789/27117/8443/8444/3478/5349 TCP + 3478/5514/5656-5699/10001/1900/123 UDP → 172.16.3.29 (aliases Unifi_Server/Unifi_TCP/Unifi_UDP). NAT reflection active (PFREFLECT).
|
||||
- **Office LAN devices:** USW Pro Max 16 PoE "3rdfloorreplacment" 28:70:4e:32:59:24 — plugged in at office, static 192.168.1.20 (wrong subnet), DHCP failing, broadcasting discovery. Needs local rescue (set IP or fix DHCP/reset) before adoption.
|
||||
- **Devices stuck in decrypt-fail inform loops (need factory reset):** 74:AC:B9:E0:36:C4 @ 68.10.32.133; 74:AC:B9:B3:2A:BA @ 69.254.199.127; 58:D6:1F:4D:C9:9F @ 72.211.21.217/184.191.143.62; 74:83:C2:7E:04:93 @ 174.18.85.133; plus Mike's USW-Lite-8-PoE 0C:EA:14:72:9C:41 @ 98.97.118.40 (new-in-box, non-default key, blue LED — likely app-claimed; reset + re-inform; verify 7.4.1 upgrade took, one 404 seen at 16:18).
|
||||
- **Bardach tenant** dd4a82e8-85a3-44ac-8800-07945ab4d95f: no Entra ID P1 (no sign-in logs), no Identity Protection. barbara object 41d14430-feb4-4ae2-aed6-2bd4e6384ca7.
|
||||
- **EZ Fast wp-admin attack traffic:** 90 failed logins 7/2 from 34.148.61.x (Google Cloud) against jshailer + guruadmin; none succeeded. jshailer works from 68.231.115.x (Cox).
|
||||
|
||||
## Commands & Outputs
|
||||
|
||||
- USL8LP latest release firmware: `upgrade https://fw-update.ui.com/api/firmware/2ccb250c-f01c-46a6-834b-0f977726ad43/data` (v7.4.1+16850; from `https://fw-update.ubnt.com/api/firmware-latest?filter=eq~~platform~~USL8LP`).
|
||||
- UniFi inform 404 semantics: junk POST → 400 (endpoint fine); well-formed but protocol-too-old → silent 404; foreign-key inform → WARN `inform decryption failed with defaultAuthKey=false` + logged MAC.
|
||||
- L2 device hunt: `tcpdump -i enp1s0 -nn -e "ether src <mac>"` then `-A "udp port 10001 and ether src <mac>"` decodes hostname/model/version from discovery payload.
|
||||
- pfSense: `pfctl -t Unifi_Server -T show`; `pfctl -ss | grep '72.194.62.10:8080'` (476 states).
|
||||
- PST report test: dedupe fix cut duplicate-handle rows (3 → 2 items on same data).
|
||||
- Syncro billing: product 1190473 Labor - Remote Business @ $150; `set_invoice_note` upsell variant applied (no prepay block).
|
||||
|
||||
## Pending / Incomplete Tasks
|
||||
|
||||
- **EZ Fast:** Jon to confirm what AI/marketing service had his creds (rotate WP passwords if shared); confirm Site Kit GA4 property G-GKQ4P6N990 intent; WPCode sample snippet ("Thank you for reading this post...") active on posts — likely accidental; #32494 for Winter to close as duplicate.
|
||||
- **Taylen John switch:** Mike factory-resetting USW-Lite-8-PoE; verify 7.4.1 actually installed; watch inform log after reset → adopt into Taylen, John.
|
||||
- **Office 3rd-floor switch (USW Pro Max 16):** rescue from stale 192.168.1.20 — investigate why DHCP isn't answering it, or console/reset locally; then adopt + assign.
|
||||
- **4 fleet devices in decrypt-fail loops** — factory resets needed at their sites (identify clients by WAN IPs).
|
||||
- **PST:** Mara's answer on report-folder visibility (staff-visible now; can lock to her); the pre-existing open items (deletion recovery copy-back, Glennda confirm, SERVER2 stability, etc.) unchanged.
|
||||
- **Bardach:** relay iPhone clock fix to Barbara; iCloud Photos Error 5 fix via RMM if she wants; optional cleanup of blank 2023 WHfB method.
|
||||
- **Wiki:** PST article lacks the VSS/audit deployment + new report task; ezfastautoglass has no wiki article; UOS article could gain the inform-404/firmware and 8080-path facts.
|
||||
|
||||
## Reference Information
|
||||
|
||||
- Syncro: ticket #32495 (id 113317537, EZ Fast, Resolved, invoice #67981 $150); #32494 (id 113315050, Winter) cross-referenced.
|
||||
- Reports: `clients/bardach/reports/2026-07-02-barbara-account-check.md`; PST ACL/session context in `wiki/clients/peaceful-spirit.md`.
|
||||
- RMM cmd ids (PST): ad4180ee (VSS/audit verify), c9f93d2e (script upload), fcc6e69e/4a86b15c (test runs), 7f5cfb96 (task registration).
|
||||
- EZ Fast backups on ix: `/root/ezfag-tag-cleanup-20260702/`.
|
||||
- Raw breach-check artifacts: `/tmp/remediation-tool/dd4a82e8-85a3-44ac-8800-07945ab4d95f/user-breach/barbara_bardach_net/` (GURU-5070 temp).
|
||||
- Firmware API pattern: `fw-update.ubnt.com/api/firmware-latest?filter=eq~~platform~~<PLATFORM>&filter=eq~~channel~~release`.
|
||||
Reference in New Issue
Block a user