Security Incident Report · SEV-2

Credential Brute-Force Against /api/login

Meridian Outfitters — Apache access log forensics · 30 June 2026 (UTC)

CONFIRMED · ATTACK CONTAINED
Total Requests
780
across 61 unique client IPs
Attacker IP
203.0.113.66
sole source of failed logins
Failed Logins · 401 POST /api/login
137
0 succeeded — account not breached
Attack Hour (UTC)
03:00–04:00
burst 03:05 → 03:59

02 Requests per Hour

Traffic holds a steady ~25–30 req/hr baseline all day. Hour 03:00 UTC erupts to 173 requests — a ~6× spike driven entirely by 137 failed logins from a single IP.

Normal traffic Attack window (03:00 UTC) Daily baseline (median ≈ 26/hr)

02b Inside the Burst — Failed Logins per Minute (03:00–04:00 UTC)

Zoomed to the attack hour: 137 automated POST /api/login attempts hammer the endpoint at a machine-steady ~2.6 tries/minute for 53 minutes straight. Every bar is an HTTP 401.

03 Reconstructed Attacker Timeline

Every request below originates from 203.0.113.66. Note the deliberate reconnaissance ~24 minutes before the brute-force burst began.

🛡️

Recommended Mitigation

Enforce per-IP rate limiting with automatic lockout on /api/login — throttle and temporarily block any client after ~5 failed attempts (and immediately block 203.0.113.66), which stops a single-source brute force like this cold.