204.76.203.215

Summary (Bottom Line Up Front)

Threat actor operating from IP 204.76.203.215 conducted sustained reconnaissance and Local File Inclusion (LFI) attacks against multiple services over 47 days (February 22 - April 10, 2026), generating 284 security events. Despite the LOW confidence assessment, the campaign demonstrates escalating sophistication with targeted exploitation attempts against web applications and network infrastructure. Organizations should implement enhanced monitoring for LFI attacks and review exposure of management interfaces. ##

FTP HTTP MQTT Modbus MySQL ORACLE RDP SMTP SSH TCP TCP/SYN TELNET TLS TLS/1.0 auto http https https_tls_handshake oracle
WEB_EXPLOITER LFI
Activity Timeline
UPDATE 62026-04-10T07:19:34Z
Source: Analyst Manual Entry
Threat actor operating from IP 204.76.203.215 conducted sustained reconnaissance and Local File Inclusion (LFI) attacks against multiple services over 47 days (February 22 - April 10, 2026), generating 284 security events. Despite the LOW confidence assessment, the campaign demonstrates escalating sophistication with targeted exploitation attempts against web applications and network infrastructure. Organizations should implement enhanced monitoring for LFI attacks and review exposure of management interfaces.
New findings
Attack Timeline: 47-day campaign from February 22, 2026 20:00 to April 10, 2026 05:00
Volume: 284 total events with sustained activity pattern
Primary Techniques: Local File Inclusion (LFI) exploitation attempts (79 total hits), directory traversal attacks targeting /etc/passwd, and infrastructure probing
MITRE ATT&CK Mapping: T1046 (Network Service Scanning) - Reconnaissance phase
Protocols Targeted: Multi-protocol approach including FTP, HTTP/HTTPS, MQTT, Modbus, MySQL, Oracle, RDP, SMTP, SSH, and Telnet
Key Attack Patterns: Directory traversal sequences (../../../../../../etc/passwd), encoded path traversal, and vendor-specific probes against Fortinet and Palo Alto infrastructure
IOCs: Source IP 204.76.203.215 primarily targeting port 22 (SSH) with additional focus on ports 443, 4443, and 8080
Recommendations
  • Deploy web application firewalls with LFI detection rules to block directory traversal attempts containing "../" sequences and /etc/passwd access patterns
  • Review and restrict access to management interfaces on ports 443 and 4443, particularly for Fortinet and Palo Alto devices
  • Implement enhanced logging and alerting for repeated access attempts to system files and configuration directories
  • Conduct vulnerability assessments of web applications to identify and remediate LFI vulnerabilities before exploitation
  • Monitor for lateral movement attempts if any LFI exploitation was successful, as attackers may escalate to credential harvesting or privilege escalation
UPDATE 52026-04-08T06:43:31Z
Source: Analyst Manual Entry
IP address 204.76.203.215 conducted a sustained 45-day reconnaissance campaign targeting multiple protocols with 284 attack events, primarily focusing on Local File Inclusion (LFI) attacks against /etc/passwd files. This represents a HIGH threat level with 95% confidence, indicating systematic enumeration activities consistent with pre-attack reconnaissance. Immediate blocking and enhanced monitoring of similar attack patterns is recommended.
New findings
Attack Timeline: February 22, 2026 20:00 - April 7, 2026 21:00 (45 days)
Volume: 284 events across 12+ protocols (FTP, HTTP, MQTT, Modbus, MySQL, Oracle, RDP, SMTP, SSH, TELNET, TLS)
Primary Technique: T1083 (File and Directory Discovery) via LFI attacks
Kill Chain Phase: Reconnaissance
Key Patterns: Directory traversal using encoded path manipulation (../../../../../../etc/passwd), targeting port 22 (SSH) and web services
Attack Sophistication: Medium - classic techniques with URL encoding to evade basic filters
Notable Payloads: /../../../../../../etc/passwd, ../../../../../../, targeting FortiGate and PAN-OS devices
Recommendations
  • Block source IP 204.76.203.215 at perimeter firewalls and web application firewalls immediately
  • Implement enhanced monitoring for directory traversal patterns targeting /etc/passwd across all web-facing applications
  • Review and strengthen input validation on web applications, particularly for path traversal attempts with URL encoding
  • Deploy additional detection rules for multi-protocol reconnaissance activities from single source IPs
  • Conduct security assessment of any systems that may have been successfully accessed during the 45-day campaign period
UPDATE 42026-04-06T21:16:15Z
Source: Analyst Manual Entry
IP address 204.76.203.215 conducted a sustained 43-day multi-protocol reconnaissance and exploitation campaign targeting web applications with Local File Inclusion (LFI) attacks and Fortinet device probing. The threat is assessed as HIGH due to demonstrated sophistication and persistent targeting behavior. Immediate defensive measures should focus on web application hardening and network monitoring for LFI attack patterns.
New findings
Attack Timeline: February 22, 2026 20:00 - April 6, 2026 10:00 (43 days)
Volume: 284 events across 13+ protocols (FTP, HTTP, MQTT, Modbus, MySQL, Oracle, RDP, SMTP, SSH, Telnet, TLS)
Primary Techniques: Local File Inclusion (LFI) directory traversal attacks, Fortinet device reconnaissance (FORTI_PROBE)
Key Indicators: Path traversal attempts targeting `/etc/passwd` via `../../../../../../` sequences, HTTPS/443 Fortinet probing
Attack Patterns: 76 total LFI attempts with both standard and encoded traversal techniques across ports 8080/HTTP and 443/HTTPS
Infrastructure: Single-source campaign from unattributed IP with no reverse DNS resolution
Recommendations
  • Implement web application firewalls (WAF) with rules blocking directory traversal patterns containing "../" sequences
  • Monitor and alert on HTTP requests targeting sensitive system files like `/etc/passwd`, `/etc/shadow`, and `/proc/` directories
  • Apply latest security patches to Fortinet devices and restrict HTTPS management interface access to authorized networks only
  • Deploy network segmentation to limit lateral movement between web-facing services and critical infrastructure protocols (Modbus, MQTT)
  • Enhance logging for multi-protocol scanning patterns and establish baseline behavioral analytics for abnormal service enumeration
UPDATE 32026-03-30T19:15:08Z
Source: Analyst Manual Entry
IP address 204.76.203.215 conducted sustained reconnaissance and Local File Inclusion (LFI) attacks over 35 days from February 22 to March 29, 2026, generating 284 security events across multiple protocols including HTTP, HTTPS, Modbus, and TLS. The threat actor demonstrated moderate sophistication by targeting web applications with directory traversal techniques and probing Fortinet infrastructure, warranting elevated monitoring despite the overall LOW threat assessment. Network defenders should implement enhanced logging for web applications and review exposed service configurations.
New findings
The campaign spanned 35 days with consistent activity targeting 8 unique destination ports using HTTP, HTTPS, Modbus, TCP, TLS, and Oracle protocols. Primary attack vectors included Local File Inclusion attempts (70 total hits) focusing on `/etc/passwd` access through directory traversal techniques, and Fortinet infrastructure probing. The activity maps to MITRE ATT&CK technique T1046 (Network Service Scanning) within the Reconnaissance phase of the kill chain. Key indicators include requests for `../../../../../../etc/passwd` on HTTPS port 443 and `/etc/passwd` on HTTP port 8080, suggesting automated vulnerability scanning tools targeting common web application misconfigurations.
Recommendations
  • Monitor and restrict access to sensitive system files through web application firewalls and input validation controls
  • Review and harden exposed services on ports 443, 8080, and other web-facing interfaces against directory traversal attacks
  • Implement enhanced logging for Local File Inclusion attempts and establish alerting thresholds for repeated access attempts
  • Conduct security assessments of Fortinet infrastructure and ensure latest security patches are applied
  • Block IP address 204.76.203.215 at network perimeter and monitor for similar reconnaissance patterns from related infrastructure
UPDATE 22026-03-23T18:55:20Z
Source: Analyst Manual Entry
Threat actor operating from 204.76.203.215 (Netherlands/Pfcloud UG) conducted sustained Local File Inclusion attacks against web applications from February 22 to March 19, 2026, attempting to access /etc/passwd through directory traversal techniques. This HIGH-confidence reconnaissance activity represents standard LFI methodology with potential for privilege escalation and lateral movement. Organizations should immediately review web application input validation controls and implement appropriate blocking measures.
New findings
Attack Vector: Local File Inclusion (LFI) via directory traversal
Source: 204.76.203.215 (AS51396 Pfcloud UG, Netherlands)
Timeline: February 22, 2026 20:00 - March 19, 2026 05:00 UTC
Volume: 260 events across 25 days
Protocols: HTTP, HTTPS, TLS, Modbus, TCP
Target Ports: 6 unique destinations including 443, 8080
MITRE Technique: T1083 (File and Directory Discovery)
Kill Chain Phase: Reconnaissance
Primary Payloads: `../../../../../../etc/passwd`, URL-encoded traversal sequences
AbuseIPDB Score: 100/100 (maximum malicious rating)
Recommendations
  • Block source IP 204.76.203.215 at network perimeter and web application firewalls immediately
  • Review and strengthen input validation on all web applications, specifically filtering directory traversal sequences (../, %2e%2e%2f)
  • Audit web server configurations to ensure proper file access restrictions and chroot environments where applicable
  • Monitor for similar LFI patterns targeting /etc/passwd, /etc/shadow, and other sensitive system files
  • Implement comprehensive logging for file access attempts and establish alerting for directory traversal indicators
UPDATE 12026-03-17T06:40:06Z
Source: Analyst Manual Entry
High-confidence Local File Inclusion (LFI) attack campaign observed from IP 204.76.203.215 (Netherlands/AS51396) conducting systematic reconnaissance against web applications from February 22 to March 16, 2026. The threat actor executed 245 attack events targeting system file enumeration with standard directory traversal techniques, assessed as HIGH threat level with 95% confidence. Immediate implementation of web application firewall rules and input validation controls recommended to block ongoing exploitation attempts.
New findings
Source Infrastructure: 204.76.203.215 (Kerkrade, NL) via Pfcloud UG hosting with maximum AbuseIPDB reputation score (100/100), exposing SSH (22) and PostgreSQL (5432) services on Linux platform. Attack Vector: Systematic LFI campaign employing URL-encoded directory traversal sequences targeting /etc/passwd file access across HTTP/HTTPS protocols with TLS 1.0 implementations. Volume & Timeline: 245 total events spanning 22 days (February 22 20:00 - March 16 08:00, 2026) across 5 unique destination ports. MITRE Mapping: T1083 (File and Directory Discovery) during Reconnaissance phase with additional Fortinet infrastructure probing capabilities. Key IOCs: 204.76.203.215, encoded traversal patterns for passwd file access, multi-protocol reconnaissance spanning HTTP/Modbus/Oracle services.
Recommendations
  • Deploy web application firewall rules to block directory traversal patterns and encoded path manipulation attempts targeting system files
  • Implement strict input validation and sanitization for all user-supplied parameters in web applications, particularly path-based inputs
  • Block source IP 204.76.203.215 and monitor for additional infrastructure from AS51396 (Pfcloud UG) exhibiting similar attack patterns
  • Review and harden file system permissions to prevent unauthorized access to sensitive system files like /etc/passwd
  • Enable enhanced logging for file access attempts and implement alerting for suspicious directory traversal activities across web services
INITIAL REPORT2026-03-10T12:18:17Z
Source: Analyst Manual Entry
High-confidence Local File Inclusion (LFI) attacks observed from 204.76.203.215 (Netherlands/AS51396) targeting web applications to enumerate system users via /etc/passwd access attempts. Threat level assessed as HIGH with 95% confidence based on 127 attack events over 16-day campaign period from February 22 to March 9, 2026. Immediate blocking and web application firewall rule updates recommended.
Technical details
Source IP 204.76.203.215 demonstrates persistent reconnaissance activity using directory traversal techniques to access sensitive system files. Attack protocols include HTTP, HTTPS, TLS, Modbus, and TCP across three unique destination ports (22, 5432 visible). Primary attack vectors consist of URL-encoded directory traversal sequences targeting /etc/passwd (8 events) and generic dot-dot-slash patterns (14 events). Activity maps to MITRE ATT&CK technique T1083 (File and Directory Discovery) within the Reconnaissance phase. AbuseIPDB scoring of 100/100 indicates confirmed malicious infrastructure with no legitimate traffic patterns observed.
IOCs
IP:204.76.203.215
ASN:51396
COUNTRY:NL
Recommendations
  • Block source IP 204.76.203.215 and monitor for additional infrastructure from AS51396 (Pfcloud UG)
  • Implement or update WAF rules to detect and block directory traversal patterns in HTTP parameters
  • Review web application input validation controls, particularly for file path parameters and user-supplied input
  • Monitor for successful file access attempts in web server logs, especially /etc/passwd and other sensitive system files
  • Consider blocking or restricting access from known VPS/hosting providers if not required for business operations
Threat Assessment
Threat Level HIGH
AI Verdict LOW
Confidence 75%
Total Events 375
Indicators of Compromise
ip 204.76.203.215
MITRE ATT&CK
T1059 T1190
Captured Payloads (2)
medium FORTI_PROBE https:443 
/../../../../../../etc/passwd
medium LFI HTTP:8080 
../../../../../../