Meridian Outfitters / 30 Jun 2026 UTC
Credential attack isolated to the 03:00 hour.
POST /api/login.
Requests Per Hour
POST /api/login responses.Reconstructed Timeline
203.0.113.66 are summarized here.Initial touch. The source IP requested GET / and received HTTP 200, consistent with a basic reachability or site fingerprinting check.
Login page loaded. The same IP requested GET /login and received HTTP 200, locating the authentication surface.
Login page revisited. A second successful GET /login occurred before any failed authentication attempts, suggesting preparation before automation began.
Burst begins. The first failed POST /api/login appears. The IP then produced 137 HTTP 401 responses against that endpoint.
Burst ends. The final observed attacker request is another failed POST /api/login. No successful login from this IP appears in the log.
Recommended Mitigation
Enforce per-IP and per-account rate limits on POST /api/login, temporarily block sources after repeated 401s, and require step-up verification before accepting more attempts.