azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from GURU-5070 at 2026-06-04 19:33:04

Browse Source 
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-04 19:33:04
This commit is contained in:
Mike Swanson
2026-06-04 19:33:08 -07:00
parent b93c9d9e94
commit fdec4b7772
2 changed files with 89 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
wiki/clients/dataforth.md
View File

@@ -2,7 +2,7 @@
type: client
name: dataforth
display_name: Dataforth Corporation
last_compiled: 2026-06-02
last_compiled: 2026-06-04
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/dataforth/docs/overview.md
@@ -41,6 +41,8 @@ sources:
- clients/dataforth/docs/aoi-xp-vlan-backup-runbook.md
- clients/dataforth/session-logs/2026-06-01-cbell-m365-bobbi-outlook.md
- clients/dataforth/session-logs/2026-06-02-session.md
- clients/dataforth/session-logs/2026-06-04-session.md
- clients/dataforth/migration-gap-diff-RESUME.md
backlinks:
- projects/dataforth-dos
- systems/jupiter
@@ -48,7 +50,7 @@ backlinks:
# Dataforth Corporation
Signal conditioning / data acquisition manufacturer in Tucson, AZ. Long-standing ACG client. Active managed relationship — monthly prepaid block. Notable for 64 MS-DOS 6.22 test stations, a major security incident in March 2026, and an ongoing test datasheet pipeline modernization project.
Signal conditioning / data acquisition manufacturer in Tucson, AZ. Long-standing ACG client. Active managed relationship — monthly prepaid block. Notable for 64 MS-DOS 6.22 test stations, a major security incident in March 2026, an ongoing test datasheet pipeline modernization project, and an incomplete 2025 post-ransomware recovery restore that silently dropped files across multiple shares (active audit underway).
---
@@ -62,7 +64,7 @@ Signal conditioning / data acquisition manufacturer in Tucson, AZ. Long-standing
| Dan Center | dcenter | Operations (primary IT contact) | dcenter@dataforth.com |
| John Lehman | jlehman | Engineering, QB code, test specs | jlehman@dataforth.com |
| Peter Iliya | pIliya | Applications Engineer | pIliya@dataforth.com |
| Georg Haubner | ghaubner | Engineering; D: drive on HGHAUBNER has pre-ransomware-attack backup | ghaubner@dataforth.com |
| Georg Haubner | ghaubner | Engineering; D: drive on HGHAUBNER has pre-ransomware-attack backup of all DF shares | ghaubner@dataforth.com |
| Kevin Wackerly | kwackerly | IT/Admin, handles calibration@ account | kwackerly@dataforth.com |
| Logan Tobey | ltobey | Support/Sales | ltobey@dataforth.com |
| Ben Wadzinski | bwadzinski | Engineering | — |
@@ -74,7 +76,7 @@ Signal conditioning / data acquisition manufacturer in Tucson, AZ. Long-standing
- **External distributor:** Ginger (gy@quatronix-cn.com) — Quatronix China; receives datasheets
- **Billing rate:** Prepaid block; all invoices show $0.00 — hours drawn from block
- **Hours remaining:** 46.5 hrs as of 2026-05-03 (after 1 hr billed that session). Always live-check Syncro before billing — `GET /customers/578095`.
- **Hours remaining:** 34.5 hrs as of 2026-06-04 (after 1.0 hr billed for SP1366 file recovery, ticket #32385). Always live-check Syncro before billing — `GET /customers/578095`.
- **Syncro customer ID:** 578095
- **Invoice CC:** jantar@dataforth.com
@@ -86,12 +88,14 @@ Signal conditioning / data acquisition manufacturer in Tucson, AZ. Long-standing
| Host | IP | Role | OS | Notes |
|---|---|---|---|---|
| AD1 | 192.168.0.27 | Primary DC, DNS, FSMO roles, Engineering share | Windows Server 2016 | C:\ at **90%** capacity (C:\Engineering = 787 GB) — critical risk. FSMO roles (assumed all). |
| AD2 | 192.168.0.6 | Secondary DC, TestDataDB service host, NAS mirror, WebShare | Windows Server 2022 | Hosts testdatadb Node.js service on :3000. Wiped by crypto attack 2025 — rebuilt. Windows Firewall disabled (all profiles). |
| FILES-D1 | — | File server | — | Sales docs (W:), archive (Y:) |
| SAGE-SQL | 192.168.0.153 | Sage ERP (S:), RDS Session Host/Connection Broker/Web Access | Windows Server | RDS licensing grace period was expired (reset 2026-05-06). TSGateway disabled (server not externally exposed). New self-signed RDS cert installed. Bitdefender GravityZone managed AV. |
| AD1 | 192.168.0.27 | Primary DC, DNS, FSMO roles, Engineering share | Windows Server 2016 | C:\ at **90%** capacity (C:\Engineering = 787 GB) — critical risk. FSMO roles (assumed all). GuruRMM agent `bf7bc5ee-4167-4a62-912a-c88b11a5943d`. Only `Image2025` backup plan — Files plan pending. |
| AD2 | 192.168.0.6 | Secondary DC, TestDataDB service host, NAS mirror, WebShare | Windows Server 2022 | Hosts testdatadb Node.js service on :3000. Wiped by crypto attack 2025 — rebuilt. Windows Firewall disabled (all profiles). Shares: `C:\Shares\{c-drive,e-drive,webshare}`. Old `D:\c-drive` data volume is GONE — D: is now a mounted Windows install ISO. MSP360 agent at `C:\Program Files\Arizona Computer Guru\Online Backup\cbb.exe`; storage account `ACG-Dataforth`. GuruRMM agent `cfa93bb6-0cdc-4d4e-a29e-1609cda6f047`. No shadow copies. |
| FILES-D1 | — | File server | — | Shares: `E:\Shares\{sales,archive}`. GuruRMM agent `8566a19d-49a9-4f8b-9c6c-012cc934484b`. **NOTE: `staff` share is missing** on FILES-D1 — separate issue. |
| SAGE-SQL | 192.168.0.153 | Sage ERP (S:), RDS Session Host/Connection Broker/Web Access | Windows Server | RDS licensing grace period was expired (reset 2026-05-06). TSGateway disabled (server not externally exposed). New self-signed RDS cert installed. Bitdefender GravityZone managed AV. Share: `C:\sage`. GuruRMM agent `120ba7bf-8544-48a0-98a1-40ed5cdd3e1f`. |
| 3CX | 192.168.0.125 | Phone system | — | Last logon Oct 2025 — possibly inactive |
| DF-HYPERV-B | — | Hyper-V hypervisor | — | |
| DF-HYPERV-B | — | Hyper-V hypervisor | — | GuruRMM enrolled (agent ID — see GuruRMM fleet below) |
| DF-SVR-D2-Sync | — | (role TBD) | — | GuruRMM enrolled |
| eng-dev-server | — | Engineering dev server | — | GuruRMM enrolled |
| D2TESTNAS | 192.168.0.9 | SMB1 bridge for DOS test stations + AOI XP backup; Neptune Exchange physically colocated | Debian 13 (trixie), Samba 4.22.6 | **Repurposed Netgear ReadyNAS** (earlier "CachyOS"/"Netgear ReadyNAS" records were stale). SMB1 enabled globally (CORE..SMB3, NTLMv1) — required for DOS 6.22 stations. rsync daemon on port 873 (module `test`, user `rsync`, hosts allow 192.168.0.0/24 + 172.16.0.0/12). SSH: `root@192.168.0.9`. Tailscale route for 172.16.0.0/22. **Shares:** `test`/`datasheets`/`snapshots` (guest; now `hosts deny 192.168.1.175`), `aoibackup` (XP-only — see Access). |
| ESXi hosts | 192.168.0.122, 192.168.0.124 | VMware ESXi hypervisors | ESXi | — |
| UDM Firewall | 192.168.0.254 | Perimeter firewall/router | UniFi OS | MAC d0:21:f9:6c:11:02. Also responds on 192.168.0.1. SSH key: `~/.ssh/id_ed25519_udm`. C2 IPs blocked via iptables (NOT permanent — need to add to UniFi UI). |
@@ -106,11 +110,25 @@ Signal conditioning / data acquisition manufacturer in Tucson, AZ. Long-standing
- Vault: `clients/dataforth/neptune-exchange.sops.yaml`
- [WARNING] TODO: Resubnet Dataforth UDM to a non-overlapping range to permanently fix Neptune routing
### Share -> Server -> Physical Path Map
| Drive/Share | Server | Physical path | Notes |
|---|---|---|---|
| Q: / `c-drive` | AD2 | `C:\Shares\c-drive` | Old `D:\c-drive` is gone (D: = mounted install ISO) |
| T: / `e-drive` | AD2 | `C:\Shares\e-drive` | — |
| X: / `webshare` | AD2 | `C:\Shares\webshare` | — |
| S: / `sage` | SAGE-SQL | `C:\sage` | — |
| W: / `sales` | FILES-D1 | `E:\Shares\sales` | — |
| Y: / `archive` | FILES-D1 | `E:\Shares\archive` | — |
| B: / `Engineering` | AD1 | `C:\Engineering` | — |
| B: / `itsvc` | AD1 | `C:\Shares\ITSvc` | — |
| `staff` | FILES-D1 | — | **MISSING** — share does not exist on FILES-D1 |
### Workstations (summary)
| Category | Count | OS | Notable |
|---|---|---|---|
| Engineering | ~12 | Win 10/11 Pro | HGHAUBNER (192.168.0.148) has pre-attack D: backup. D1-PWRM for PWRM10 test. |
| Engineering | ~12 | Win 10/11 Pro | HGHAUBNER (192.168.0.148) — Georg's PC; `D:` = full pre-attack backup of all 7 DF shares (`DF C-Drive`, `DF E-Drive`, `DF WebShare`, `DF Sage`, `DF Server Sales/Archive/Engineering`, + personal). GuruRMM agent `2aefe0d5-2357-4bdd-965a-abfccb4767a5`. D1-PWRM for PWRM10 test. |
| Manufacturing/Assembly | ~14 | Win 10/11 Pro | AS24, AS26 + various assembly/hi-pot stations |
| Office/Admin | ~12 | Win 10/11 Pro | DF-GAGETRAK (192.168.0.102) — GAGEtrak calibration host. DF-JOEL2 (192.168.0.174) — compromised 2026-03-27, remediated. |
| End-of-Life (Win 7) | 3 | Windows 7 Pro | LABELPC (192.168.0.100), LABELPC2 (192.168.0.98), D2-RCVG-003 (192.168.0.47) — EOL, on network |
@@ -151,9 +169,33 @@ Signal conditioning / data acquisition manufacturer in Tucson, AZ. Long-standing
- **Site name:** Dataforth D1 | Site ID: `3a2f6866-26cd-452c-9806-a8df21475c3c`
- **Site API key:** vault `clients/dataforth/...` [check vault for current entry]
- **DF-GAGETRAK enrolled:** Agent ID `7626d82c-0736-47a6-8bc6-68e39859caed`, device ID `win-901ce38b-fb6e-44b8-a577-7c0bdf269a9a` — enrolled 2026-04-23
- **Fleet size:** 45 agents total (40 online) as of 2026-06-04 — grew from 13 enrolled agents
- **[WARNING] GuruRMM enrollment workaround:** WebSocket auth in `ws/mod.rs` does not validate `enrolled_agents.agent_key_hash`. New agent installs must overwrite registry AgentKey with the site API key (not the enrollment AgentKey) and restart service. See Gitea issue #8.
**Known enrolled agents:**
| Host | Agent ID | Notes |
|---|---|---|
| DF-GAGETRAK | `7626d82c-0736-47a6-8bc6-68e39859caed` | Enrolled 2026-04-23 (auth workaround applied) |
| HGHAUBNER | `2aefe0d5-2357-4bdd-965a-abfccb4767a5` | Georg's PC; pre-attack backup on D: |
| AD2 | `cfa93bb6-0cdc-4d4e-a29e-1609cda6f047` | Enrolled 2026-06-04 |
| AD1 | `bf7bc5ee-4167-4a62-912a-c88b11a5943d` | Enrolled 2026-06-04 |
| FILES-D1 | `8566a19d-49a9-4f8b-9c6c-012cc934484b` | Enrolled 2026-06-04 |
| SAGE-SQL | `120ba7bf-8544-48a0-98a1-40ed5cdd3e1f` | Enrolled 2026-06-04 |
| DF-HYPERV-B | (see RMM dashboard) | Enrolled 2026-06-04 |
| DF-SVR-D2-Sync | (see RMM dashboard) | Enrolled 2026-06-04 |
| eng-dev-server | (see RMM dashboard) | Enrolled 2026-06-04 |
| (37 additional agents) | — | Mix of workstations; full list in GuruRMM dashboard |
### Backup Architecture
- **MSP360 ("ACG-Online Backup", `cbb.exe`):** Backup provider. Storage account: `ACG-Dataforth` (account ID `0b49ca5e-...`).
- **AD2:** Two plans — `AD2 Image` (image plan, bunch `35a5c3d2`, running daily), `Files` plan (180-day retention, NBF, daily 2 AM, covers `C:\Shares` tree; GFS off, synthetic full, compression, fast-NTFS). No shadow copies on AD2.
- **AD1:** Only `Image2025` image plan. **Files plan PENDING** — command prepared (`addBackupPlan -n "Files" -a "ACG-Dataforth" -nbf ... -d "C:\Engineering" -d "C:\Shares\ITSvc" ... -purge "180d"`); awaiting Mike's "run AD1" signal.
- **Pre-attack backup (offline, not MSP360):** HGHAUBNER `D:` drive holds a full pre-attack snapshot of all 7 mapped DF shares, captured before the 2025 ransomware event. This is the only recovery source predating the attack. Accessible via GuruRMM `user_session` on HGHAUBNER. Cross-machine writes use existing GPO-mapped drives only (fresh UNC blocked by WTS-impersonation — see Patterns).
- **Historical file-level backup:** NBF bunch `faad5a67` ("Backup plan on 8/29/2025") in `ACG-Dataforth` storage contains restore points 8/299/29/2025, archived at old physical path `D:\c-drive\...` (pre-migration layout). Used successfully 2026-06-04 to confirm SP1366 file contents (HGHAUBNER backup chosen for actual restore — no B2 egress).
- **WizTree backup CSV (2026-06-04):** Full-drive WizTree export of HGHAUBNER's `D:` stored at AD2 `C:\ClaudeTools\clients\dataforth\WizTree_20260604184904.zip` (sensitive — kept OFF shares). ~8.7M files / 5.7 TB across 7 shares documented. Working copy also at GURU-5070 `C:\Users\guru\AppData\Local\Temp\wiztree.zip` (delete after diff).
### Key Applications
| Application | Host | URL/Port | Notes |
@@ -240,8 +282,9 @@ Syncro asset IDs: 23845, 149614, 9708445, 9357407, 9276901, 9212922, 9078651, 88
- **D2TESTNAS `aoibackup` share (AOI XP backup):** `\\192.168.0.9\aoibackup` — Samba user `admin` (password matches the XP's local login), `hosts allow = 192.168.1.175` only, `browseable = no`. Other NAS shares (`test`/`datasheets`/`snapshots`) explicitly deny 192.168.1.175. Creds in vault: `clients/dataforth/d2testnas.sops.yaml → credentials.smb.aoi-user` / `.aoi-password` / `.aoi-share`.
- **UDM SSH:** `ssh root@192.168.0.254` — SSH key `~/.ssh/id_ed25519_udm` (generated 2026-03-27)
- **SAGE-SQL SSH:** `ssh sysadmin@192.168.0.153` — SSH key (`C:\ProgramData\ssh\administrators_authorized_keys` on SAGE-SQL)
- **All server passwords:** `Paper123!@#` (domain admin sysadmin account — stored in individual vault entries per server)
- **All server passwords:** vault (individual vault entries per server — `clients/dataforth/<host>.sops.yaml`)
- **WinRM (AD2/AD1):** port 5985 — pywinrm with NTLM, user `INTRANET\sysadmin`
- **HGHAUBNER:** No SSH. Reached via GuruRMM agent `2aefe0d5`. Logged-in user `intranet\ghaubner`. Cross-machine file writes use existing GPO-mapped drives only (Q: → \\ad2\c-drive, T: → \\ad2\e-drive, etc.).
### M365 / Entra
- **M365 admin:** sysadmin@dataforth.com — vault: `clients/dataforth/m365.sops.yaml`
@@ -250,6 +293,11 @@ Syncro asset IDs: 23845, 149614, 9708445, 9357407, 9276901, 9212922, 9078651, 88
- **MSP Multi-Tenant App (Claude-MSP-Access):** MSP tenant `ce61461e-81a0-4c84-bb4a-7b354a9a356d`, App ID `fabb3421-8b34-484b-bc17-e46de9703418` — vault: msp-tools SOPS file
- **ComputerGuru tiered apps:** All 5 apps consented 2026-04-23. Exchange Operator SP (b43e7342) had Exchange Admin role added manually (gap in onboard-tenant.sh — not auto-assigned for Exch Operator).
### MSP360 Managed Backup API
- **Vault:** `msp-tools/msp360-api.sops.yaml` (api.mspbackups.com, /api/Provider/Login)
- `cbb.exe` path on AD2: `C:\Program Files\Arizona Computer Guru\Online Backup\cbb.exe`
- Browse file backup: `cbb.exe list -a "ACG-Dataforth" -b <bunch_id> -rp <restore_point_id> -path "<path>"`
### Dataforth Product API (Hoffman)
- **Vault:** `clients/dataforth/api-oauth.sops.yaml`
- Token URL: `https://login.dataforth.com/connect/token`
@@ -296,6 +344,17 @@ Syncro asset IDs: 23845, 149614, 9708445, 9357407, 9276901, 9212922, 9078651, 88
- **WebSocket auth bug (Issue #8):** enrolled_agents.agent_key_hash is never checked by ws/mod.rs. Workaround: after MSI install, overwrite registry `HKLM:\SOFTWARE\GuruRMM\AgentKey` with the site API key (not enrollment AgentKey), then restart service.
- **rmm-api.azcomputerguru.com must be grey-clouded** (DNS-only, not proxied) — Cloudflare proxy blocks WebSocket. Do NOT re-enable orange cloud. Gitea Issue #9.
### Cross-Machine File Operations (Windows Domain)
- **Double-hop / WTS-impersonation blocks fresh UNC paths.** When running commands in GuruRMM `user_session` (or via SSH-through-another-server), the impersonated token carries no network credentials. `net use` and fresh `\\server\share` paths fail with Access Denied.
- **Workaround that works:** Run on the SOURCE machine in `user_session` and write to an **existing GPO-mapped drive** (e.g. Q: → `\\ad2\c-drive`). The existing mapping survives impersonation; fresh UNC does not.
- **Proven 2026-06-04 on HGHAUBNER:** local `D:\DF C-Drive` read + `Q:` write succeeded; AD2-side `user_session` copy and SSH-from-AD2 both failed.
### Post-Ransomware Recovery Restore (2025) — Incomplete File Migration
- **The 10/1/2025 recovery restore was incomplete.** The `Restore plan 10/1/2025` (~3.4M files) migrated each share from the old `D:\<share>` layout to the current `C:\Shares\...` layout on AD2 and dropped files in the process. Proven case: SP1366 MAQ20 Communications Module — each `PRINTOUTS FOR MANUFACTURING` folder for revisions EH received only one file (the drill panel) when the backup contained ~6 files per revision. The 9/29/2025 file-level backup confirms the files existed before the restore.
- **Scope unknown.** Other folders across the 7 shares may have similar gaps. A full migration-gap audit is underway (WizTree both sides — see Active Work). The audit is **review-only** — no automatic restore, because some deletions were intentional and the HGHAUBNER backup is additive-only (includes Georg's personal files alongside corporate data).
- **Backup-side CSV** for diffing stored at AD2 `C:\ClaudeTools\clients\dataforth\WizTree_20260604184904.zip` (sensitive file list — keep off shares and off any publicly accessible directory).
- **AD2 D: drive is gone.** The old `D:\c-drive` data volume was repurposed as a mounted Windows install ISO during the rebuild. All share data now lives under `C:\Shares`. The historical file-level backup (bunch `faad5a67`) archived the data under `D:\c-drive\...` (pre-migration path) — reconcile paths accordingly.
### Security
- **C2 IP blocks are iptables only** — do not survive UDM reboot. Must add to permanent UniFi block list via UI. C2 IPs: 80.76.49.18, 45.88.91.99 (AS399486 Virtuo, Montreal).
- **AD1 disk 90% full** — C:\Engineering = 787 GB of 1023 GB. Risk of replication failures.
@@ -310,22 +369,32 @@ Syncro asset IDs: 23845, 149614, 9708445, 9357407, 9276901, 9212922, 9078651, 88
- **Bitdefender is NOT a liveness signal:** Dataforth is being phased off BD; 53 of 57 GravityZone endpoints are in the "Deleted" folder. Missing from BD = BD agent uninstalled, not machine dead.
- **API delete not available:** `DELETE /customer_assets/{id}` returns HTML 404 for the current integration token. All asset deletions must go through the Syncro GUI.
### `staff` Share Missing
- The `staff` network share is absent from FILES-D1 (only `archive` and `sales` exist). HGHAUBNER's backup includes a `DF Staff` folder, suggesting the share existed pre-attack. Not in scope for the current migration-gap diff — separate issue requiring investigation.
---
## Active Work
As of 2026-06-02:
As of 2026-06-04:
- **Migration-gap audit (in progress):** WizTree CSV of HGHAUBNER's pre-attack backup captured (AD2 `C:\ClaudeTools\clients\dataforth\WizTree_20260604184904.zip`). Next: WizTree runs on live servers (AD2, FILES-D1, SAGE-SQL, AD1) tomorrow (2026-06-05); diff CSV-to-CSV per share → `clients/dataforth/migration-gap-catalog-2026-06-04.md`. Full plan in `clients/dataforth/migration-gap-diff-RESUME.md`. RMM agent IDs for the 4 servers are documented there. No auto-restore — review-only catalog.
- **AD1 Files backup (command ready, not run):** `addBackupPlan` command prepared for AD1 (NBF, daily 2 AM, 180-day retention, `ACG-Dataforth`, covers `C:\Engineering` + `C:\Shares\ITSvc`). Awaiting Mike's explicit "run AD1" approval — production DC. Full command in `clients/dataforth/migration-gap-diff-RESUME.md`.
- **SP1366 MAQ20 file recovery (RESOLVED 2026-06-04):** 19/20 missing manufacturing print PDFs restored for revisions EH to AD2 `C:\Shares\c-drive\DOCUMENT\DESIGN\SP\SP1366 MAQ20 Communications Module\{E,F,G,H}\PCB1366 REV <rev> PRINTOUTS FOR MANUFACTURING`. Syncro ticket #32385 billed 1.0 hr remote (prepaid, $0), resolved + invoiced. REV F `TOP PASTE LAYER` confirmed absent from both independent backups — not restored.
- **Syncro asset cleanup (2026-06-02):** 78-asset reconciliation complete. 28 confirmed-dead assets pending GUI deletion; 21 alive-but-broken machines need Syncro agent reinstall; 9 servers in VERIFY bucket. Move to metered billing once clean. Reply to Winter pending. Coord todo tree assigned to Howard (parent `103c48ad-7b31-4967-9388-065a91888e7c`). See [Syncro Asset Inventory](#syncro-asset-inventory-2026-06-02-reconciliation) above.
- **AOI XP backup + isolation (2026-06-01):** AOI optical-inspection XP PC moved to VLAN 2 (mydata/SMT) @ 192.168.1.175; locked-down SMB1 share `aoibackup` on D2TESTNAS (XP-only, user `admin`). Other NAS shares now deny the XP. Mike OK'd full SMT visibility ("it's part of SMT"). **Optional EOL hardening pending:** block XP → company LAN (except NAS 192.168.0.9) + Internet on the UDM, scoped to .175 (won't affect other SMT devices). Todo `37543f7f`.
- **AD2 Claude capability updates (parked):** AD2 runs its own Claude from `C:\ClaudeTools`. Needs: (a) syncro + coord commands, (b) DF wiki read-write, (c) Dataforth client data access. Determine if remote is shared Gitea (git pull sufficient) or diverged clone. See resume doc.
- **Test Datasheet Pipeline:** Production pipeline healthy. 469K records, 458.5K live on website. Daily task runs 02:30 AM. Email notification deployed but pending SMTP AUTH fix — sysadmin SMTP AUTH disabled in Exchange Online. See `projects/dataforth-dos/CONTEXT.md`.
- **GAGEtrak email (ticket #32142):** calibration@ SMTP re-enabled 2026-04-23. GAGEtrak configured (smtp.office365.com:587, calibration@dataforth.com). Kevin Wackerly verifying schedule on DF-GAGETRAK — expected Monday run appears to run Tuesday.
- **DKIM rotation:** Automatic cutover to selector2 on 2026-05-16 — no action needed; verify signing after that date.
- **jlohr forwarding:** ntirety.com inbox rule active as of 2026-05-12; confirmed delivering to mike@azcomputerguru.com. Defunct transport rule pending cleanup.
- **RDS / SAGE-SQL:** RDS grace period reset. GPO cert distribution pending. RDS CALs purchase needed long-term.
- **28 offline machines** (at time of 2026-03-27 incident) — rescanned status unknown. These should be verified when available.
- **MFA enforcement ongoing** — 19 users were still not enrolled as of April 4 enforcement date; current count unverified.
---
@@ -335,6 +404,9 @@ As of 2026-06-02:
| Date | Event |
|---|---|
| 2025 | Crypto/ransomware attack — AD2 wiped and rebuilt, many files lost. Test datasheet pipeline broken. |
| 2025-08-29 2025-09-29 | MSP360 file-level backup (`faad5a67`) covering DF shares at old `D:\c-drive\...` path. Last snapshot before the recovery restore. |
| 2025-10-01 2025-10-02 | Post-ransomware recovery restore (`Restore plan 10/1/2025`, ~3.4M files) migrated shares from `D:\<share>` to `C:\Shares\...` on AD2. Restore was incomplete — files dropped in multiple folders (root cause: restore tool gap, not user deletion). AD2 `C:\Shares` tree NTFS creation timestamp confirms this date. |
| ~2025-10-06 | Fleet-wide Syncro agent break — ~half of Dataforth machines freeze in Syncro while remaining online in ScreenConnect. Root cause unknown. |
| 2026-01-19 | DOS Update System built and deployed — NWTOC/CTONW/UPDATE/DEPLOY BAT files, 39 deployments. Sync-FromNAS updated (DEPLOY.BAT). |
| 2026-03-20 | Galactic Advisors security assessment — AD1 C: at 90%, legacy SQL 2008 R2 client noted, 3 computers scanned. |
| 2026-03-23 | Galactic Advisors assessment analyzed by ACG. |
@@ -355,6 +427,7 @@ As of 2026-06-02:
| 2026-06-01 | AOI optical-inspection XP PC isolated onto VLAN 2 (mydata/SMT) @ 192.168.1.175; `aoibackup` SMB1 share created on D2TESTNAS locked to the XP only; other NAS shares set to deny the XP. D2TESTNAS confirmed Debian 13 / Samba 4.22.6 (repurposed Netgear ReadyNAS); vault + wiki OS corrected. Mike: AOI may see all of SMT; optional company-LAN/Internet block for the XP still pending. |
| 2026-06-01 | Chauncey Bell (cbell) M365 verified — active mailbox, licensed Microsoft 365 Business Standard (full Office + Exchange); AD password reset on AD2 (synced user, OU=Azure_Users), signed into Office. Bobbi's Outlook printing fixed by switching to Outlook (Classic). Ticket #32364 (0.5 hr onsite). |
| 2026-06-02 | Syncro asset reconciliation (78 assets): 20 keep / 21 save+flag / 28 remove / 9 verify. Root cause identified: fleet-wide Syncro agent break ~2025-10-06 silenced ~half the fleet while boxes stayed online (visible in ScreenConnect). Dataforth confirmed phasing off Bitdefender (only 4 of 57 GravityZone endpoints actively managed; 53 in Deleted folder). GUI delete list and 5-step todo tree handed to Howard. Move to metered billing pending cleanup. ScreenConnect API auth pattern documented (CTRLAuthHeader raw secret + Origin). |
| 2026-06-04 | SP1366 MAQ20 manufacturing print recovery — 19/20 PDFs for revisions EH restored to AD2 from HGHAUBNER's pre-attack backup (D:\DF C-Drive) via GuruRMM user_session + GPO-mapped Q: drive. Root cause of loss: incomplete 10/1/2025 recovery restore. MSP360 file backup (`faad5a67`) independently cross-validated (both sources agree: 19/20 present). Syncro #32385, 1.0 hr remote, prepaid $0, resolved. GuruRMM fleet grew 13 → 45 agents (AD1, FILES-D1, SAGE-SQL, DF-HYPERV-B, DF-SVR-D2-Sync, eng-dev-server, + many workstations enrolled). WizTree backup-side CSV captured for migration-gap diff; diff deferred to 2026-06-05. AD1 Files backup command prepared (not run). |
---