A keylogger is bold and would give reason to believe they had some tech skills or inclinations to be techy, but we haven't seen that elsewhere. Curious what server there sending it too

I wrote a keylogger once and it was simple and not detected by AV. Usb autorun script. It just sent me an email with the contents

So I have to update the hash script because sometimes rocket chat messes up and doesn't update the names thus it breaks the script.

A lot of times these things are put in the auto run folders when you log in or boot up the computer so it could be a scheduled task or in the startup menu

There may be more sophisticated and hidden ways, buy I'd look for that stuff first if we don't have the SD still

@Thomas do you want to give the cloudflare changes ago?

This is just for b&s.org on cloudflare for right now

The victory server is 206.81.15.30

You can undo it

what images?

everything worked for me, but when I refreshed the page it wouldn't load

so maybe the web version of rocketchat does use API calls

do we know what user agent the mobile app uses?

we can write a rule to just block that user agent

DMs being pruned now

Does anyone remember if we figured out how to look at nginx logs and identify the app user agent?

blocking all API calls seems to break the browser

not sure if regex

cloudflare is ideal since its first contact

but I dont know what user agents we are blocking

does anyone know how to look at nginx logs?

You're right

So we are purging the nginx docker container logs every hour, and it does contain IP addresses and user agents and the GET url

I will try to identify the user agent

it also looks like rocketchat might be saving IP addresses somewhere, looking into that now

So the sessions db has lots of IPs and client info

The oldest one being 8/31/2021

We could do a cronjob that does something like that

was just gonna try

I had 150 instances, I deleted them all and nothing changed with me using RC. When I refreshed the page it did not make a new instance, but when I closed the tab and opened it again, it did.

So it may be good to regularly purge instances to minimize how many IP addresses we are keeping. Should we purge daily?

@Vincent TX these both are completed

Tested, and now IPs are not found on server after the hourly nginx logs purge and rc sessions puge

i can find his IP, let me check

well since I purged it, I have to wait for him to log in again

test

also we could hide teh invisibl status option

okay, I am looking to where that is tored

I think i can derive who is using "invisible" status as long as they are currently online

currently, David WA and @Matthew MN

is that accurate @Matthew MN

"we got em!"

All users with invisible setting /* 1 */<br>{<br> "name" : "Loy OK"<br>}<br><br>/* 2 */<br>{<br> "name" : "NQ - George OH"<br>}<br><br>/* 3 */<br>{<br> "name" : "Jeffery OH"<br>}<br><br>/* 4 */<br>{<br> "name" : "Alex NC"<br>}<br><br>/* 5 */<br>{<br> "name" : "Ben ID"<br>}<br><br>/* 6 */<br>{<br> "name" : "Oscar ID"<br>}<br><br>/* 7 */<br>{<br> "name" : "Billy Merse TX"<br>}<br><br>/* 8 */<br>{<br> "name" : "Patrick NC"<br>}<br><br>/* 9 */<br>{<br> "name" : "Matthew MN"<br>}<br><br>/* 10 */<br>{<br> "name" : "William TX"<br>}<br><br>/* 11 */<br>{<br> "name" : "Ray MN"<br>}<br><br>/* 12 */<br>{<br> "name" : "Travis CA"<br>}<br><br>/* 13 */<br>{<br> "name" : "Michael TX"<br>}<br><br>/* 14 */<br>{<br> "name" : "Alexander OR"<br>}<br><br>/* 15 */<br>{<br> "name" : "Vincent WA"<br>}<br><br>/* 16 */<br>{<br> "name" : "Benjamin OH"<br>}<br><br>/* 17 */<br>{<br> "name" : "Bryan IA"<br>}<br><br>/* 18 */<br>{<br> "name" : "James NC"<br>}<br><br>/* 19 */<br>{<br> "name" : "Flint NC"<br>}<br><br>/* 20 */<br>{<br> "name" : "Norman WI"<br>}<br><br>/* 21 */<br>{<br> "name" : "Jesse GA"<br>}<br><br>/* 22 */<br>{<br> "name" : "John VA"<br>}<br><br>/* 23 */<br>{<br> "name" : "Robert MD"<br>}<br><br>/* 24 */<br>{<br> "name" : "Norman CA"<br>}<br><br>/* 25 */<br>{<br> "name" : "Brian NC"<br>}<br><br>/* 26 */<br>{<br> "name" : "ND - William OK"<br>}<br><br>/* 27 */<br>{<br> "name" : "Joe MA"<br>}<br><br>/* 28 */<br>{<br> "name" : "David WA"<br>}<br><br>/* 29 */<br>{<br> "name" : "Adam NC"<br>}<br><br>/* 30 */<br>{<br> "name" : "Daniel TX"<br>}<br><br>/* 31 */<br>{<br> "name" : "ND - Samuel VA"<br>}<br><br>/* 32 */<br>{<br> "name" : "System"<br>}<br><br>/* 33 */<br>{<br> "name" : "Tyler WA"<br>}

Good example of a honeypot

We should allow users to change their username maybe, and if they do it sends off a huge red flag

unless we automatically disabled them

or we could hide the real field and put in a fake field that they can change, and all it does is send us an email that they tried to

but it does nothing in reality

especially if they were trying to change it to another user's name, not just from Jake AR to Joe AR

Actually its even easier than that, all we have to do is use JS to enable that field but that is just on the front end, on the back end when they press submit it will fail and give error but we will also see the error

finished attempted username change honeypot script.

Sample alert
<br>User PF-3320 has tried to update their username and alias<br><br>Updated Username: PF-8888<br><br>Updated Alias: Thomas<br>

999999

88888888

Gggggggg

@Thomas we can try this cloudflare firewall filter when you get the chance. It should at least block the android app users.

Good ideas @Benjamin WI

Anyone who goes to /admin is suspicious

I'm working on an access log report that will show us that people are using different IPs and possibly different regions to access rocket chat.

@Benjamin WI is this only on the PC application? Or is this on the browser too? I've never come across this

It uses API to main rc server to authenticate. So this is right

We have not. Just temporarily disabled API byt that should have no effect

Can you try accessing victory vwitg their reset credentials just to make sure it's the servers end

We also cleared all sessions, but I don't think that would allow some ppl in but not others

I just got in with my test account, then reset the password and got in again

What error are they getting? If I could have the credentials of a user having a problem I can check to see what network errors they're getting (if it's a server side issue)

Someone might be able to go into victory and also look at logs but I haven't been in there and I don't have the new key

Let's see if we can remove any human error client side variables and try their username and password ourselves

They can change it afterwards.

Can I have a user who is having an issue so I can work with them

Hey

I heard you're having trouble logging into victory

Getting an invalid username and password error. I wanted to test this on my end using your account. So I can reset your password to something so I can use it that we both know and then afterward you can change your password back to something just you know.

I can reset it to ReclaimMuric@99

Then you'll be able to get back in and everything. After we're done testing you can change it to something else

Just let me know you acknowledge this before I do it so that way I know you know the new password

If it ask you for a password to log back in just use that one for now

Okay try logging into the victory website using

PF-694667

ReclaimMuric@99

I just tried it and it seemed to work let me know if it works for you or not.

I just reset Jims password and was able to log into victory with the new password. I'm now having him try the same thing

@Vincent TX I'll dm you

I changed Jim's password to ReclaimMuric@99

I'm starting to wonder if people don't know how to use their username correctly.

He said he wrote down the new password then I tested it on victory and it worked fine.

If you're able to communicate with him outside of rocket chat then see if you can get him back in the server using these credentials and then we might know what everyone is doing wrong. That's another reason why it would be helpful if we force people to log out of the server 7 days or something that way they learn how to log in with their credentials

Yeah let's add that to the to-do list as well as possibly renaming the rocket chat main server from PF 3618 to something that doesn't look like a username. We had this issue from the beginning where people thought that was their username for some reason

@Vincent TX

I agree, just something to do in the future. It would help if we automatically logged out users after 7 days or something that way they learned what the username was and their password