Security Incident Report

Credential brute-force against Meridian Outfitters

Forensic reconstruction from access.log — 780 requests, single 24-hour window.

Confidential · Critical
Log date  30 Jun 2026 (UTC)
Report  08 Jul 2026
Total requests
780
Full day of traffic in log
Attacker IP
203.0.113.66
Source of every failed login
Failed logins · 401
137
POST /api/login
Attack hour · UTC
03:00
03:05:24 → 03:58:39

Requests per hour

Baseline traffic holds at ~19–36 requests/hour all day. Hour 03 spikes to 173 — a ~6× surge that is the brute-force burst.

Normal hourly traffic Attack window (hour 03 UTC)

Reconstructed attacker timeline

All events below are from IP 203.0.113.66 — 140 requests total.

  1. 02:41:12Recon
    First appearance — loads the homepage GET / → 200. No prior history in the log.
  2. 02:44:03Recon
    Locates the sign-in page GET /login → 200.
  3. 02:47:55Recon
    Revisits GET /login → 200, then goes quiet for ~18 min (staging the credential list / tooling).
  4. 03:05:24Attack
    Brute-force burst begins. First POST /api/login → 401.
  5. 03:05–03:58Attack
    137 failed logins hammered at /api/login, ~2–3 per minute for ~53 minutes straight — every one returns 401.
  6. 03:58:39Outcome
    Last attempt — burst stops. No POST /api/login ever returned 200, so no credential compromise is observed in this log. Attacker made no further requests.

Attack at a glance

Every figure computed directly from the log.

  • Requests from attacker140
  • Recon GETs before burst3
  • Failed login POSTs (401)137
  • Successful logins (200)0
  • Burst duration~53 min
  • Peak hour share of traffic22.2%
Recommended mitigation

Enforce per-IP rate limiting with automatic lockout after a handful of failed logins (e.g. 5 failures in 15 minutes) plus mandatory MFA on /api/login, which would have halted the 137-attempt burst from 203.0.113.66 after the first few tries.