Add AD1 session data, memory entries for datasheet pipeline and security incident
- Imported AD1 Claude session files to clients/dataforth/session-logs/ - Created memory: project_datasheet_pipeline.md (full pipeline architecture) - Created memory: project_dataforth_incident_2026-03-27.md (security incident + MFA) - Updated MEMORY.md index - Updated session log with AD1 pipeline rebuild findings Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
OC-5070
@@ -21,3 +21,5 @@
|
||||
- [Audio Processor Architecture](project_audio_processor_architecture.md) - Segment-first pipeline: detect breaks before transcription for complete content capture
|
||||
- [Neptune Email Routing Issues](project_email_routing_neptune.md) - Multiple clients (devcon, Sorensen/rieussetcorp) have email not routing properly from Neptune
|
||||
- [Neptune SBR Email Routing Setup](project_neptune_sbr_email_routing.md) - Full SBR routing chain, config file locations, MailProtector integration, access methods
|
||||
- [Dataforth Test Datasheet Pipeline](project_datasheet_pipeline.md) - Full pipeline rebuilt 2026-03-27. Server-side generation replaces DFWDS/Uploader. Website upload still broken.
|
||||
- [Dataforth Security Incident](project_dataforth_incident_2026-03-27.md) - DF-JOEL2 compromised, MFA deployed, IC3 filed. CA policies enforce April 4.
|
||||
|
||||
37
.claude/memory/project_dataforth_incident_2026-03-27.md
Normal file
37
.claude/memory/project_dataforth_incident_2026-03-27.md
Normal file
@@ -0,0 +1,37 @@
|
||||
---
|
||||
name: Dataforth Security Incident 2026-03-27
|
||||
description: DF-JOEL2 compromised via ScreenConnect social engineering. MFA deployed. IC3 filed. C2 IPs blocked. Full remediation completed.
|
||||
type: project
|
||||
---
|
||||
|
||||
## Incident
|
||||
Joel Lohr's workstation (DF-JOEL2, 192.168.0.143) compromised via phishing email to personal Yahoo account. Attacker "Angel Raya" deployed ScreenConnect C2 backdoors. M365 account also compromised from Turkey/UK/Germany.
|
||||
|
||||
## Attacker
|
||||
- C2: 80.76.49.18 and 45.88.91.99 (AS399486, Virtuo, Montreal QC) - SUSPENDED by host
|
||||
- Cloud relay: instance-wlb9ga-relay.screenconnect.com
|
||||
- ConnectWise case: 03464184
|
||||
- IC3 complaint: 1c32ade367084be9acd548f23705736f
|
||||
|
||||
## Remediation
|
||||
- C2 IPs blocked at UDM firewall (iptables - need permanent rules in UniFi UI)
|
||||
- 3 rogue ScreenConnect clients uninstalled
|
||||
- jlohr AD password reset, M365 sessions revoked
|
||||
- 32 machines scanned clean, 28 unreachable (offline)
|
||||
- No lateral movement detected
|
||||
|
||||
## MFA Rollout
|
||||
- 3 CA policies deployed (report-only until April 4, 2026):
|
||||
- Require MFA (skip from office IP 67.206.163.122)
|
||||
- Block foreign sign-ins (US only, MFA-Travel-Bypass group for exceptions)
|
||||
- Block legacy auth
|
||||
- 19/38 users MFA-ready, 19 need to register
|
||||
- MFA notice sent to all users, deadline April 4
|
||||
|
||||
## Joel Lohr
|
||||
- Retiring March 31, 2026
|
||||
- Auto-reply directs contacts to Dan Center (dcenter@dataforth.com)
|
||||
- Account should be disabled after retirement
|
||||
|
||||
**Why:** Active security incident requiring immediate response.
|
||||
**How to apply:** Monitor CA policies in report-only mode, enforce April 4. Check 28 offline machines when available. Add C2 IPs to permanent UDM block list.
|
||||
73
.claude/memory/project_datasheet_pipeline.md
Normal file
73
.claude/memory/project_datasheet_pipeline.md
Normal file
@@ -0,0 +1,73 @@
|
||||
---
|
||||
name: Dataforth Test Datasheet Pipeline - Rebuilt 2026-03-27
|
||||
description: Full pipeline from DOS test stations to website. New server-side generation replaces DFWDS/Uploader. 72/73 Quatronix datasheets generated. AD2 crypto wipe recovery.
|
||||
type: project
|
||||
---
|
||||
|
||||
## Background
|
||||
AD2 (192.168.0.6) was wiped in a crypto/ransomware attack months ago. The test datasheet pipeline was broken. Customer Quatronix (China) blocking shipment of 328 modules (whittled to 54) without datasheets.
|
||||
|
||||
## Pipeline (5 stages, rebuilt 2026-03-27)
|
||||
|
||||
### Stage 1: DOS Test Stations (64 stations)
|
||||
- QuickBASIC programs generate test data -> C:\STAGE on each DOS PC
|
||||
- DAT files (raw test data) + TXT files (formatted datasheets)
|
||||
- CTONW.BAT copies DAT files to NAS (working)
|
||||
- CTONWTXT.BAT copies TXT files (NOT called in current AUTOEXEC v4.1 since 2026-03-12)
|
||||
- TXT files piling up in C:\STAGE since Sept 2025
|
||||
|
||||
### Stage 2: NAS <-> AD2 Sync
|
||||
- Script: C:\Shares\test\scripts\Sync-FromNAS-rsync.ps1 (every 15 min, WORKING)
|
||||
- Rsync daemon on NAS: port 873, module "test", user rsync / IQ203s32119
|
||||
- PULL: DAT files from NAS -> AD2, triggers database import
|
||||
- PUSH: Software updates from AD2 -> NAS for DOS machines
|
||||
|
||||
### Stage 3: TestDataDB (Node.js/SQLite, WORKING)
|
||||
- App: C:\Shares\testdatadb\ (Windows service "testdatadb", auto-start)
|
||||
- API: http://192.168.0.6:3000
|
||||
- Database: C:\Shares\testdatadb\database\testdata.db (2.27M records)
|
||||
- Import: database/import.js (post-import hook calls export)
|
||||
- **NEW: Spec parser** (parsers/spec-reader.js) - reads binary spec DATs, 1470 models
|
||||
- **NEW: Exact-match formatter** (templates/datasheet-exact.js) - reverse-engineered from QB
|
||||
- **NEW: Auto-export** (database/export-datasheets.js) - generates TXT to X:\For_Web
|
||||
|
||||
### Stage 4: WebShare (X: = \\ad2\webshare = C:\Shares\webshare)
|
||||
- X:\Test_Datasheets - incoming (staging for old DFWDS)
|
||||
- X:\For_Web - validated datasheets (501K+ files, pre-2026 archived to year subfolders)
|
||||
- X:\For_Web_PDF - PDF versions (4.7K files)
|
||||
- X:\Bad_Datasheets - invalid files (18K)
|
||||
- X:\Datasheets_Log - DFWDS logs
|
||||
|
||||
### Stage 5: Website Upload (BROKEN)
|
||||
- Old endpoints: dataforth.com/Services/{Uploader,DirectoryManifest,DeleteFile}.aspx - ALL 404
|
||||
- Credentials: DataforthWebShare / Data6277
|
||||
- TestDataSheetUploader (VB.NET, Hoffman) - not running, config pointed to dev paths
|
||||
- Legacy site: legacy.dataforth.com/TestDataReport_Print.aspx (still works, no auth)
|
||||
- New site: dataforth.com/TestDataReport (requires OIDC login)
|
||||
|
||||
## What Was Eliminated by Rebuild
|
||||
- CTONWTXT.BAT (DOS TXT transfer) - no longer needed, server generates from DAT data
|
||||
- DFWDS.exe (VB6 filename decoder) - no longer needed
|
||||
- TestDataSheetUploader (VB.NET web uploader) - endpoints dead anyway
|
||||
|
||||
## Key File Encoding
|
||||
H-prefix decode: A=10, B=11, C=12, D=13, E=14, F=15, G=16, H=17, I=18, J=19
|
||||
Example: H8601-6.TXT -> serial 178601-6
|
||||
New pipeline extracts SN from DAT record data directly, not filenames.
|
||||
|
||||
## Open Items
|
||||
1. Website upload replacement (old ASP.NET endpoints dead)
|
||||
2. 7B datasheet formatting (specs loaded, needs 7B-specific layout, ~830K records)
|
||||
3. SCM5B49 spec file empty - need from John Lehman
|
||||
4. Service permissions (runs as SYSTEM, causes SHM/WAL conflicts)
|
||||
5. New product lines: MAQ20/PWRM (XLS), 10D (JSON, ~May 2026), DSCMHV
|
||||
|
||||
## Key Contacts
|
||||
- John Lehman (jlehman@dataforth.com) - Engineering, QB code, specs
|
||||
- Peter Iliya (pIliya@dataforth.com) - Applications Engineer, manual datasheet retrieval
|
||||
- Ken Hoffman - TestDataSheetUploader author (VB.NET), DFWDS author, unresponsive
|
||||
- Georg Haubner (ghaubner@dataforth.com) - D: drive has pre-crypto backup of network shares
|
||||
- Ginger (gy@quatronix-cn.com) - Quatronix China, customer requesting datasheets
|
||||
|
||||
**Why:** Critical business issue - customer refusing shipments without datasheets.
|
||||
**How to apply:** Pipeline is mostly rebuilt. Priority: website upload replacement, then 7B support.
|
||||
Reference in New Issue
Block a user