azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b99f8512e4239707c462564288b2aa8c736421e8
claudetools/session-logs/2026-04-17-session.md
Mike Swanson 68d9836245 Session log: Glaztech/MVAN phishing remediation, Syncro integration, DNS hardening 
Glaztech: 32 phishing messages purged, MX/DMARC/EFC hardened, incident report.
MVAN: DMARC p=reject added. Syncro /syncro command built (comment+time flow).
GoDaddy API onboarded. jparkinsonaz.com DNS fixed (A→Neptune, DMARC, autodiscover).
desertrat.com audited (needs DMARC + SPF fix on Route 53).
Jupiter OwnCloud migration confirmed complete.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-17 12:43:09 -07:00

8.7 KiB
Raw Blame History

Session Log — 2026-04-17

User

  • User: Mike Swanson (mike)
  • Machine: DESKTOP-0O8A1RL
  • Role: admin
  • Mode: client/infra (mixed)

Session Summary

Full day of client security work + infrastructure + tooling. Major items: Jupiter OwnCloud migration confirmed complete, Glaztech phishing incident (32 messages purged, MX/DMARC/EFC hardened), MVAN DMARC added, Syncro PSA integration built, GoDaddy API onboarded, jparkinson DNS fixes, Neptune access issues.

Work Completed

1. Jupiter OwnCloud migration — confirmed complete

  • rsync finished at 22:59 MST (2h49m total for ~750G uncompressed)
  • Cache dropped from 82% (756G) to 34% (311G)
  • MariaDB-Official + Discourse running healthy 7+ hours post-migration
  • OwnCloud VM running, share config changed to shareUseCache="no"

2. Glaztech phishing incident — full remediation

Two phishing campaigns bypassing MailProtector via exposed M365 MX record:

Campaign 1: "ATTN: MaiIbox Password Login Expire" (spoofed alexander@, from 23.94.30.18 ColoCrossing) Campaign 2: "HR Paperwork Awaiting Completion Approval" (spoofed enrique@, from 86.38.225.18)

Both: SPF FAIL, DKIM none, DMARC FAIL (p=none), SCL 1 (M365 didn't flag), connected directly to MX 10 bypassing MailProtector.

Actions taken:

  • Removed MX 10 (glaztech-com.mail.protection.outlook.com) from DNS on IX
  • Updated DMARC from p=none to p=reject
  • Enabled Enhanced Filtering for Connectors (EFSkipIPs: MailProtector IPs)
  • Purged 32 messages across 8 mailboxes (alexander, seastman, dominic, jack, bryce, cesar, daryld, holly)
  • Saved forensic .eml + .json samples
  • Onboarded Glaztech to remediation tool (admin consent + Exchange Admin role)
  • Syncro ticket #32165 created + billed

Glaztech tenant: 82931e3c-de7a-4f74-87f7-fe714be1f160 Remediation tool roles: Exchange Administrator assigned to ComputerGuru - AI Remediation SP

3. MVAN phishing — DMARC added

  • mvaninc.com had NO DMARC, NO MailProtector, direct M365 MX only
  • Added DMARC p=reject via GoDaddy web GUI (delegate access from MVAN)
  • Syncro ticket #32166 created with notes to client about MailProtector add-on option and other domains needing protection
  • MVAN tenant: 5affaf1e-de89-416b-a655-1b2cf615d5b1 (already consented for remediation tool)

4. /syncro command — Syncro PSA integration

Built /syncro slash command for ticket management via Syncro REST API.

Key discovery: Time is added as part of the comment, NOT via separate timer endpoint.

  • POST /tickets/{id}/comment with product_id, minutes_spent, bill_time_now fields
  • Timer entries (/tickets/{id}/timer_entry) exist but rarely used
  • Invoice creation: POST /invoices with ticket_id + customer_id
  • Invoice line items: POST /invoices/{id}/line_items

Labor product IDs:

  • 1190473 — Labor - Remote Business
  • 26118 — Labor - Onsite Business
  • 26184 — Labor - Emergency or After Hours Business
  • 9269129 — Labor - Prepaid Project Labor
  • 9269124 — Labor - Internal Labor
  • 26117 — Fee - Travel Time
  • 68055 — Labor - Website Labor

Glaztech billing: Prepaid Hours - Block (product 46303) at $130/hr, 40hr blocks

5. GoDaddy API — onboarded

  • Created Production API key "RemediationTools"
  • Vaulted at services/godaddy-api.sops.yaml
  • Can manage DNS for ACG-owned domains programmatically
  • Delegate domains (client-managed) only accessible via web GUI, NOT API
  • MVAN delegated access accepted but API still returns 403 (known GoDaddy limitation)

6. jparkinsonaz.com DNS fixes

  • Added DMARC: p=reject; sp=reject
  • Added autodiscover: CNAME → mail.acghosting.com
  • Changed A record: 72.194.62.7 (IX) → 67.206.163.124 (Neptune) — mail-only domain, no website
  • Required pdns_control reload after zone file edits (regular PowerDNS restart not sufficient)
  • Required /usr/local/cpanel/scripts/dnscluster synczone for cluster propagation
  • Serial format: epoch-based (NOT YYYYMMDDNN) — use incrementing epoch or zone check fails
  • Neptune certbot for autodiscover failing — likely DNS propagation delay (14400s TTL on old A)

7. desertrat.com DNS audit

  • MX: mail.desertrat.com → 162.248.93.81 (ACG WebSvr/NFOservers VDS, NOT MailProtector)
  • SPF: includes spf.wdsolutions.com (WD Solutions/SmarterMail), uses ~all (softfail)
  • DMARC: MISSING
  • DNS: AWS Route 53 (not IX or GoDaddy)
  • Needs: DMARC p=reject, SPF ~all → -all, eventual migration to IX + MailProtector
  • Recommended SPF with MailProtector added: v=spf1 +a +mx +ip4:162.248.93.233 +ip4:162.248.93.81 +include:spf.wdsolutions.com +include:spf.us.emailservice.io -all

8. Neptune password reset — failed

  • Attempted to set jparkinson password to jP$48504850 on Neptune (jparkinsonaz.com domain)
  • Neptune at 67.206.163.124 (public) / 172.16.3.50 (internal)
  • WinRM from AD2 failed (Kerberos cross-domain), direct WinRM from workstation failed (Negotiate auth error)
  • Internal IP 172.16.3.50 has RDP + WinRM open but auth failed
  • May have caused account lockout — user handling via separate Claude session on Neptune directly
  • ACG\administrator creds: Gptf*77ttb##

Credentials

GoDaddy API (Production)

  • Key: 2wXWWFcuYk_2RGxdvpe1WZV2yPMvNLGEe
  • Secret: 5pQZs7H9WY7dwh59XsJMNr
  • Auth header: Authorization: sso-key 2wXWWFcuYk_2RGxdvpe1WZV2yPMvNLGEe:5pQZs7H9WY7dwh59XsJMNr
  • Vault: services/godaddy-api.sops.yaml

Syncro PSA

  • API Key: T259810e5c9917386b-52c2aeea7cdb5ff41c6685a73cebbeb3
  • Base: https://computerguru.syncromsp.com/api/v1
  • Vault: msp-tools/syncro.sops.yaml

Glaztech M365

  • Tenant ID: 82931e3c-de7a-4f74-87f7-fe714be1f160
  • Remediation tool consented + Exchange Admin role assigned

MVAN M365

  • Tenant ID: 5affaf1e-de89-416b-a655-1b2cf615d5b1
  • Already consented for remediation tool

Neptune

  • Public: 67.206.163.124
  • Internal: 172.16.3.50
  • Creds: ACG\administrator / Gptf*77ttb##
  • jparkinson target password: jP$48504850

IX server

  • 172.16.3.10, root, Gptf*77ttb!@#!@#
  • PowerDNS, cPanel, zone files at /var/named/
  • Cluster sync: /usr/local/cpanel/scripts/dnscluster synczone <domain>

DNS Changes Made Today

Domain Record Before After Server
glaztech.com MX 10 glaztech-com.mail.protection.outlook.com REMOVED IX
glaztech.com _dmarc TXT p=none p=reject; sp=reject IX
mvaninc.com _dmarc TXT (missing) p=reject; sp=reject GoDaddy (web GUI)
jparkinsonaz.com _dmarc TXT (missing) p=reject; sp=reject IX
jparkinsonaz.com autodiscover (missing) CNAME mail.acghosting.com IX
jparkinsonaz.com A (root) 72.194.62.7 (IX) 67.206.163.124 (Neptune) IX

IX DNS gotchas (learned today)

  1. pdns_control reload <zone> needed after zone file edits — full PowerDNS restart doesn't always pick up changes
  2. Serial format varies — some zones use epoch (1776xxxxxx), some use YYYYMMDDNN. New serial must be HIGHER than old or changes are ignored.
  3. DNS cluster sync required: /usr/local/cpanel/scripts/dnscluster synczone <domain> — editing zone files directly doesn't trigger cluster propagation
  4. Zone file backups at /var/named/<domain>.db.bak-YYYYMMDD

Syncro tickets created

# Customer Subject Time Status
32165 Glaz-Tech Industries Email Security - Phishing remediation + MX/DMARC hardening 1hr (timer, not comment — needs fix) Invoiced
32166 MVAN Enterprises Inc Email Security - DMARC protection added for mvaninc.com 30 min Remote Business Resolved

Files created/modified

  • clients/glaztech/reports/2026-04-17-phishing-incident-report.md
  • clients/glaztech/reports/2026-04-17-phishing-ATTN-mailbox-password.eml
  • clients/glaztech/reports/2026-04-17-phishing-ATTN-mailbox-password.json
  • clients/glaztech/reports/2026-04-17-phishing-HR-paperwork.eml
  • clients/glaztech/reports/2026-04-17-hr-paperwork-*.json
  • .claude/commands/syncro.md (new)
  • D:\vault\services\godaddy-api.sops.yaml (new)

Pending

  1. Neptune jparkinson password — being handled in separate Claude session on Neptune
  2. desertrat.com — needs DMARC + SPF hardening on Route 53 (need AWS access)
  3. desertrat.com — long-term migration from WebSvr to IX + MailProtector
  4. Glaztech ticket #32165 — timer entry created wrong (should be comment+time); fix or rebill in Syncro GUI
  5. jparkinsonaz.com certbot — retry once A record propagates (14400s TTL from old IP)
  6. MVAN other domains — only mvaninc.com has DMARC; client has other domains needing protection
  7. GoDaddy delegate API limitation — can't manage delegate domains via API; need client's own API key for programmatic DNS
  8. All carry-over items from 2026-04-16 (Howard onboarding, GuruRMM migration drift, Len's deployment, etc.)
Reference in New Issue View Git Blame Copy Permalink