That's a lot of employees. How would they get his real name?

I can lookup employees at my company through MA teams

@Vincent TX can you add the task to test if any IPs are logged on server. And assign it to me. I'll use a VPN and then look for the IP on the server to see if it's logged anywhere. We could use a script that checked if an IP was from a VPN and what state IP is from and then forward that data to a monitored channel, so we would have a history of every time a user access the server and from what state and if it was from a VPN or not. Would that be a liability?

I was told that Paul used to work with an Antifa type at the desk next to him

Vincent WA likely got his name from his license plate when he was at the hike.

Most likely

Yup

We would not save any specific IPs just state and time

We should have had an access log implemented a while back

We could also find a way to save the data off server and encrypt it somehow, similar to the hashing we have for users. If we did that it would make the data useless.

Yea, that's an option.

Cronjob that runs every 24 hours to send logs somewhere safe, encrypt them, and clear logs

Also another reason why the app needs to be discontinued is because it if I understand correctly saves messages even after they are pruned

Can the script assign a number to each unique IP so that we can check if users login with same IP, without having to store the IP itself?

We could turn the IP into a hash that couldn't go backwards

:thumbup:

Could use a keyed sha-2 hash

So let's add that to tasks: create access logs for user, date, time, IP, State, hashed IP, and if possible logging certain actions like opening a channel or searching for a username

Is anyone immediately taking that? Is that part of what you wanted me to add before Jake

Make that a second task and right now it can but unassigned

The first task I mentioned was mostly about making sure that we aren't unknowingly saving IP information and making sure that we clear it if we are

Both have been added. First task has been assigned to you Jake

Thanks

@Jason NY What have you been working on?

Do we have a list of all members houses who Vincent entered? If it is possible that he put a keylogger on someones machine we should speak to them and do some checks.

I am preparing my own sandbox server for testing rocket chat migration. Jake and I determined that a good start would be importing the db and trying to fix the schema. If that doesn't work then we'll have to test the theory of a script that updates the DB gradually, one release at a time. I am going to move the DB to test server tonight when little people are online because a few minutes of downtime will be necessary. As for the Vincent WA list, I'm waiting for John WA to get back to me with that info.

Ok thank you for the update. Do you need me to do anything? I just finished up work.

I was thinking of talking to Tyler about his computer

I just contacted John and will now ask Tyler to confirm login times

If you have admin on vetting server you could check last login time of Interviewee-219169 and check his logs too

Robert IN was using his interviewee account for undetermined reasons a few days ago despite having been in the org for over a month

I'm also curious about members' user agents

Keyloggers can sometimes evade detection from AVs he should check for a physical keylogger too.

I do not

@Thomas ^

I have brought this up before on first night of log investigation but I still don't understand why the server is logging an Outgoing Webhook for every message sent. Vincent TX already checked integrations and saw none enabled. I'm curious if this also occurs on vetting and if this has always occured on our RC instance. It doesn't happen on my own version of RC.

Example:

Is this to add the code?

Is this main or vetting

That's on main

Idk if happening on vetting too or not

It might be a behavior from RC

I sure hope it is. On rocket chat forum there are threads of people debugging their webhooks and the logs are the same for purposeful webhooks.

https://forums.rocket.chat/t/outgoing-websocket-messages-are-not-delivered-to-client/42116

Pretty sure Thomas looked and we have no user webhooks added

With no enabled webhook on my own build there is no log when I send a message. With outgoing webhook enabled I get "Integrations Outgoing Webhook.debug Got the event argument for the event: sendMessage" followed by the message data

No, that's all done with JS in browser

Push notifications are disabled

John WA is now telling me that he inserted an SD card from Vincent WA into his computer with a bunch of random files on it

and that he then gave the SIM card to Thomas and asked him to take a look at it

John believes he "definitely may have" opened random executable files

Maybe the webhooks has to do with the app? We could test to see if our messages appear when we use the browser or app

That SD card needs to be opened in a VM and checked for autorun script immediately

@Thomas Did you ever insert the SD card from Vincent WA into your computer?

Did Thomas put SD card in his PC??

John believes he did

I am very much hoping Thomas didn't get around to it or thought it was a bad idea

That would explain a lot if that is the case

We would need ether analyze that card

A keylogger is bold and would give reason to believe they had some tech skills or inclinations to be techy, but we haven't seen that elsewhere. Curious what server there sending it too

I wrote a keylogger once and it was simple and not detected by AV. Usb autorun script. It just sent me an email with the contents

Yes, probably being sent to email if it exists. Easy to get a "FUD" keylogger with autorun exploit on sites like hackforums.

Even if not autorun, john said there were modelling files in there which would probably be pretty different than jpg/png. I remember an execution exploit in valve model files from a few years back.

.mdl files

Yeah if we find suspicious stuff in that card we will need to analyze it in a Linux computer

Do Mason and Thomas run an updated AV on their machines?

So I have to update the hash script because sometimes rocket chat messes up and doesn't update the names thus it breaks the script.

A lot of times these things are put in the auto run folders when you log in or boot up the computer so it could be a scheduled task or in the startup menu

There may be more sophisticated and hidden ways, buy I'd look for that stuff first if we don't have the SD still

Mason has the SD

When Mason connected the cards did he get a windows notification asking for administrator permissions?

The windows UAC pop ups

Update: The SD card was just an SD card. There may have been revealing photos of/about Vincent WA on it, but probably just banner drops based on what I saw and nothing conclusive or interesting. No non-photo or video files. No hidden files. All created over a weekend-span a few months ago. No pop ups, no nothing.

219169
Last login
1:54 PM
Created at
November 7, 2021

Very happy to hear that. You and Mason should both run a Malwarebytes scan anyway just to be safe.

Robert IN is still logging in to the vetting server daily and I don't understand why.

He may just have it up. Carter, I believe, said he always shows up to meetings early, responds to messages well, etc. It's a good quality if suspicion is assuaged.

Imo somebody w/ admin should check logging to see if he just happens to have the server open or if he's actively switching through channels / looking at user list.

Give me the instructions to do that. DM.

Okay sure thing

• Stop and Disable the "Server" service. (run a startup script that stops / disables it at each reboot too)
  - Unbind "File & Print Sharing" from your wireless and wired adapter. Only Client for MS networks and IPV4 are needed for most PC's)
  - Run Malwarebytes on your workstation (turn off all the cloud submission stuff).
  - Delete any saved wifi networks from your profile that you don't recognize.
  - Turn on the Windows firewall and have it deny all inbound connections in all profiles. If you have a hardware firewall at home (provided by your ISP) make sure that is turned on too with all inbound ports blocked.
  - Make sure UAC is turned on.
  - Disable the built-in Administrator account, guest account, and any other stuff you find in Computer Management
  - Disable app Windows Store app permissions in "PC Settings / Privacy). Basically everything in there can be turned off for non domain member PC's.

I am getting a lot of reports of people being unable to log into victory. It seems like the victory logins are tied to RC, did us restoring from snapshot affect peoples logins in any way?

I checked and my login works just fine...Not sure what we can do here.

Victory works fine for me

Someone messaged me that they had been opening victory as a server in the rocketchat. Maybe they're doing that also. Tell them open it in a web browser.

What the...

Idek dude, really been feeling like a true pajeet recently

PF is filled with tech boomers I swear

Victory works for me, no problems.

Hey on the mumble instructions it says "For technical assistance with Mumble please send a message to NQ Vincent NY on Rocketchat."

I don't see that user.

Vincent be relocatin' n shiet

We should probably change that

I will get that done tonight

Vincent be like a rootless people and what not

All of America is my domain

Ethan OH, are we suspending him, putting him through for revetting, or clearing him on lack of suspicion? We need a plan and judgement for each of our suspects.

I would like to ask him if it was actually him in the mumble or if it was somebody impersonating him. Has he contacted us about getting his account reinstated yet?

On Vetting, yes.

Okay. When Vincent is available lets have him connect to mumble with the excuse of getting his account verified and check if his IP matches up with the Ethan_OH in the first set of logs.