Security Incident Report · SEV-2
Meridian Outfitters — Apache access log forensics · 30 June 2026 (UTC)
Traffic holds a steady ~25–30 req/hr baseline all day. Hour 03:00 UTC erupts to 173 requests — a ~6× spike driven entirely by 137 failed logins from a single IP.
Zoomed to the attack hour: 137 automated POST /api/login attempts
hammer the endpoint at a machine-steady ~2.6 tries/minute for 53 minutes straight. Every bar is an HTTP 401.
Every request below originates from 203.0.113.66. Note the deliberate reconnaissance ~24 minutes before the brute-force burst began.
GET / → 200. First appearance of the IP in the log; scoping the target.
Two hits on GET /login → 200, three minutes apart — mapping the auth flow and confirming the endpoint before automating.
First POST /api/login → 401. Rapid, scripted credential-stuffing attempts start against the discovered endpoint.
Sustained automated attack — every single attempt returns HTTP 401. No delay, no CAPTCHA, no lockout slowed it down.
Last attempt still returns 401. Zero 200/OK responses from /api/login for this IP: the credential guessing failed and the account was not compromised.
Recommended Mitigation
Enforce per-IP rate limiting with automatic lockout on /api/login — throttle and temporarily block any client after ~5 failed attempts (and immediately block 203.0.113.66), which stops a single-source brute force like this cold.