Meridian Outfitters / 30 Jun 2026 UTC

Credential attack isolated to the 03:00 hour.

Forensic incident dashboard built from the Apache-style access log for the single logged day. No external data or libraries are used.
Total requests 780 All parsed log entries for 30 Jun 2026.
Attacker IP 203.0.113.66 Only source of failed login POSTs.
Failed logins 137 Exact HTTP 401 count for POST /api/login.
Attack hour 03:00 UTC hour containing every failed login attempt.

Requests Per Hour

Bars show all requests. Amber trace shows failed POST /api/login responses.
Hourly request timeline for 30 Jun 2026 The 03:00 UTC bar rises to 173 total requests and contains 137 failed login attempts from the attacker IP. 150 100 50 0 03:00 UTC attack window 173 requests, 137 failed logins 00 02 03 05 07 09 11 13 15 17 19 21 23

Reconstructed Timeline

Only events from 203.0.113.66 are summarized here.
02:41:12

Initial touch. The source IP requested GET / and received HTTP 200, consistent with a basic reachability or site fingerprinting check.

02:44:03

Login page loaded. The same IP requested GET /login and received HTTP 200, locating the authentication surface.

02:47:55

Login page revisited. A second successful GET /login occurred before any failed authentication attempts, suggesting preparation before automation began.

03:05:24

Burst begins. The first failed POST /api/login appears. The IP then produced 137 HTTP 401 responses against that endpoint.

03:58:39

Burst ends. The final observed attacker request is another failed POST /api/login. No successful login from this IP appears in the log.

Recommended Mitigation

Enforce per-IP and per-account rate limits on POST /api/login, temporarily block sources after repeated 401s, and require step-up verification before accepting more attempts.

The attacker generated 140 total requests: 3 successful page views before the burst and 137 failed login POSTs. The failed attempts span 03:05:24 through 03:58:39 UTC.