azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8d975c1b44648c88f397a8b67ed63049ac8c2b61
claudetools/clients/dataforth/docs/issues/log.md
Howard Enos 8d975c1b44 import: ingested 160 files from C:\Users\howar\Clients 
Howard's personal MSP client documentation folder imported into shared
ClaudeTools repo via /import command. Scope:

Clients (structured MSP docs under clients/<name>/docs/):
- anaise       (NEW)  - 13 files
- cascades-tucson     - 47 files merged (existing had only reports/)
- dataforth           - 18 files merged (alongside incident reports)
- instrumental-music-center - 14 files merged
- khalsa       (NEW)  - 22 files, multi-site (camden, river)
- kittle       (NEW)  - 16 files incl. fix-pdf-preview, gpo-intranet-zone
- lens-auto-brokerage (NEW) - 3 files (name matches SOPS vault)
- _client_template    - 13-file scaffold for new clients

MSP tooling (projects/msp-tools/):
- msp-audit-scripts/ - server_audit.ps1, workstation_audit.ps1, README
- utilities/         - clean_printer_ports, win11_upgrade,
                       screenconnect-toolbox-commands

Credential handling:
- Extracted 1 inline password (Anaise DESKTOP-O8GF4SD / david)
  to SOPS vault: clients/anaise/desktop-o8gf4sd.sops.yaml
- Redacted overview.md with vault reference pattern
- Scanned all 160 files for keys/tokens/connection strings -
  no other credentials found

Skipped:
- Cascades/.claude/settings.local.json (per-machine config)
- Source-root CLAUDE.md (personal, claudetools has its own)
- scripts/server_audit.ps1 and workstation_audit.ps1 at source root
  (identical duplicates of msp-audit-scripts versions)

Memory updates:
- reference_client_docs_structure.md (layout, conventions, active list)
- reference_msp_audit_scripts.md (locations, ScreenConnect 80-char rule)

Session log: session-logs/2026-04-16-howard-client-docs-import.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-16 19:43:58 -07:00

2.8 KiB
Raw Blame History

Issue Log

2025 — Crypto/Ransomware Attack

  • Severity: Critical
  • Symptoms: Ransomware encryption across network
  • Impact: AD2 wiped and rebuilt. Many files lost including C:\DFWDS, scheduled tasks, service configs. Test datasheet pipeline (DFWDS.exe, VB6) destroyed.
  • Resolution: AD2 rebuilt. Pre-attack backup exists on HGHAUBNER D: drive. TestDataDB pipeline rebuilt 2026-03-2729.
  • Lessons Learned: No adequate backup existed. Flat network allowed lateral movement.

2026-03-27 — DF-JOEL2 Workstation Compromise

  • Reported By: Mike Swanson
  • Severity: Critical
  • Target: Joel Lohr's workstation (DF-JOEL2, 192.168.0.174)
  • Vector: Phishing email to personal Yahoo account
  • Attacker: "Angel Raya" via ScreenConnect social engineering
  • C2 IPs: 80.76.49.18, 45.88.91.99 (AS399486, Virtuo, Montreal QC)
  • C2 Cloud: instance-wlb9ga-relay.screenconnect.com
  • M365 Impact: jlohr account compromised from Turkey/UK/Germany
  • Resolution:
    • C2 IPs blocked at UDM firewall (iptables rules — need permanent UniFi UI rules)
    • 3 rogue ScreenConnect clients uninstalled
    • jlohr AD password reset, M365 sessions revoked
    • 32 machines scanned clean, 28 unreachable (offline)
    • No lateral movement detected
    • IC3 Complaint: 1c32ade367084be9acd548f23705736f
    • ConnectWise Case: 03464184
    • C2 hosting SUSPENDED by provider
  • Follow-up: Joel Lohr retired 2026-03-31. Auto-reply set to Dan Center.
  • Lessons Learned: Personal email on work machines is a phishing vector. ScreenConnect brand used for social engineering.

Known Issues & Risks (from 2026-04-02 audit)

Critical

  • All Windows Firewall profiles DISABLED on AD2
  • Windows 7 machines still on network (LABELPC, LABELPC2, D2-RCVG-003)
  • AD1 and AD2 are Windows Server 2016 (end of mainstream support)
  • AD1 C: drive at 90% capacity (C:\Engineering = 787 GB)

High

  • Joel Lohr account (jlohr) needs to be disabled post-retirement (March 31) — OVERDUE
  • 28 machines not scanned during security incident (were offline)
  • C2 IP blocks are iptables rules on UDM — need permanent UniFi UI rules
  • No reverse DNS zone for 192.168.0.x
  • MFA enforcement deadline April 4, 2026 — 19 users still need to register
  • Website upload mechanism broken (old ASP.NET endpoints return 404)

Medium

  • D2TESTNAS uses root SSH with password authentication
  • Multiple DESKTOP-* computer names suggest unmanaged/BYOD devices
  • ~845K test records pending ForWeb export
  • Some computer accounts have stale/conflicting IP addresses
  • TestDataDB Server scheduled task still exists (disabled, replaced by service)

Low

  • DVD ISO still mounted on AD2 D: drive
  • ClaudeTools-ReadOnly AD account — purpose unclear
  • Multiple duplicate/old computer accounts in AD
Reference in New Issue View Git Blame Copy Permalink