azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8d975c1b44648c88f397a8b67ed63049ac8c2b61
claudetools/clients/dataforth/docs/issues/log.md
Howard Enos 8d975c1b44 import: ingested 160 files from C:\Users\howar\Clients 
Howard's personal MSP client documentation folder imported into shared
ClaudeTools repo via /import command. Scope:

Clients (structured MSP docs under clients/<name>/docs/):
- anaise       (NEW)  - 13 files
- cascades-tucson     - 47 files merged (existing had only reports/)
- dataforth           - 18 files merged (alongside incident reports)
- instrumental-music-center - 14 files merged
- khalsa       (NEW)  - 22 files, multi-site (camden, river)
- kittle       (NEW)  - 16 files incl. fix-pdf-preview, gpo-intranet-zone
- lens-auto-brokerage (NEW) - 3 files (name matches SOPS vault)
- _client_template    - 13-file scaffold for new clients

MSP tooling (projects/msp-tools/):
- msp-audit-scripts/ - server_audit.ps1, workstation_audit.ps1, README
- utilities/         - clean_printer_ports, win11_upgrade,
                       screenconnect-toolbox-commands

Credential handling:
- Extracted 1 inline password (Anaise DESKTOP-O8GF4SD / david)
  to SOPS vault: clients/anaise/desktop-o8gf4sd.sops.yaml
- Redacted overview.md with vault reference pattern
- Scanned all 160 files for keys/tokens/connection strings -
  no other credentials found

Skipped:
- Cascades/.claude/settings.local.json (per-machine config)
- Source-root CLAUDE.md (personal, claudetools has its own)
- scripts/server_audit.ps1 and workstation_audit.ps1 at source root
  (identical duplicates of msp-audit-scripts versions)

Memory updates:
- reference_client_docs_structure.md (layout, conventions, active list)
- reference_msp_audit_scripts.md (locations, ScreenConnect 80-char rule)

Session log: session-logs/2026-04-16-howard-client-docs-import.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-16 19:43:58 -07:00

62 lines
2.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Issue Log
### 2025 — Crypto/Ransomware Attack
- **Severity:** Critical
- **Symptoms:** Ransomware encryption across network
- **Impact:** AD2 wiped and rebuilt. Many files lost including C:\DFWDS\, scheduled tasks, service configs. Test datasheet pipeline (DFWDS.exe, VB6) destroyed.
- **Resolution:** AD2 rebuilt. Pre-attack backup exists on HGHAUBNER D: drive. TestDataDB pipeline rebuilt 2026-03-2729.
- **Lessons Learned:** No adequate backup existed. Flat network allowed lateral movement.
---
### 2026-03-27 — DF-JOEL2 Workstation Compromise
- **Reported By:** Mike Swanson
- **Severity:** Critical
- **Target:** Joel Lohr's workstation (DF-JOEL2, 192.168.0.174)
- **Vector:** Phishing email to personal Yahoo account
- **Attacker:** "Angel Raya" via ScreenConnect social engineering
- **C2 IPs:** 80.76.49.18, 45.88.91.99 (AS399486, Virtuo, Montreal QC)
- **C2 Cloud:** instance-wlb9ga-relay.screenconnect.com
- **M365 Impact:** jlohr account compromised from Turkey/UK/Germany
- **Resolution:**
- C2 IPs blocked at UDM firewall (iptables rules — need permanent UniFi UI rules)
- 3 rogue ScreenConnect clients uninstalled
- jlohr AD password reset, M365 sessions revoked
- 32 machines scanned clean, 28 unreachable (offline)
- No lateral movement detected
- IC3 Complaint: 1c32ade367084be9acd548f23705736f
- ConnectWise Case: 03464184
- C2 hosting SUSPENDED by provider
- **Follow-up:** Joel Lohr retired 2026-03-31. Auto-reply set to Dan Center.
- **Lessons Learned:** Personal email on work machines is a phishing vector. ScreenConnect brand used for social engineering.
---
## Known Issues & Risks (from 2026-04-02 audit)
### Critical
- All Windows Firewall profiles **DISABLED** on AD2
- Windows 7 machines still on network (LABELPC, LABELPC2, D2-RCVG-003)
- AD1 and AD2 are Windows Server 2016 (end of mainstream support)
- AD1 C: drive at **90% capacity** (C:\Engineering = 787 GB)
### High
- Joel Lohr account (jlohr) needs to be disabled post-retirement (March 31) — **OVERDUE**
- 28 machines not scanned during security incident (were offline)
- C2 IP blocks are iptables rules on UDM — need permanent UniFi UI rules
- No reverse DNS zone for 192.168.0.x
- MFA enforcement deadline April 4, 2026 — 19 users still need to register
- Website upload mechanism broken (old ASP.NET endpoints return 404)
### Medium
- D2TESTNAS uses root SSH with password authentication
- Multiple DESKTOP-* computer names suggest unmanaged/BYOD devices
- ~845K test records pending ForWeb export
- Some computer accounts have stale/conflicting IP addresses
- TestDataDB Server scheduled task still exists (disabled, replaced by service)
### Low
- DVD ISO still mounted on AD2 D: drive
- ClaudeTools-ReadOnly AD account — purpose unclear
- Multiple duplicate/old computer accounts in AD
Reference in New Issue View Git Blame Copy Permalink