Summary (Bottom Line Up Front)
IP address 204.76.203.73 conducted a sustained Local File Inclusion (LFI) attack campaign from February 21 to April 16, 2026, targeting multiple web services with 118 recorded events. The activity represents LOW severity reconnaissance and exploitation attempts focused on accessing sensitive system files, particularly /etc/passwd. Organizations should immediately review web application security controls and monitor for similar LFI attack patterns. ##
Activity Timeline
UPDATE 12026-04-16T05:37:51Z
Source: Analyst Manual Entry
IP address 204.76.203.73 conducted a sustained Local File Inclusion (LFI) attack campaign from February 21 to April 16, 2026, targeting multiple web services with 118 recorded events. The activity represents LOW severity reconnaissance and exploitation attempts focused on accessing sensitive system files, particularly /etc/passwd. Organizations should immediately review web application security controls and monitor for similar LFI attack patterns.
New findings
The threat actor employed classic LFI techniques including directory traversal sequences (../../../../../../etc/passwd) and encoded traversal attempts across multiple protocols (HTTP, HTTPS, Modbus, TLS). Attack activity spanned 7 unique destination ports with concentrated targeting of ports 4443, 8080, and 9001. The campaign maps to MITRE ATT&CK technique T1046 (Network Service Scanning) during the reconnaissance phase, with 46 total LFI attempts including both standard and encoded payload variants. Key attack patterns included directory traversal, /etc/passwd access attempts, and information disclosure probes with HIGH severity alerts triggered on port 4443/TCP services.
Recommendations
- Implement robust input validation and sanitization on all web applications to prevent directory traversal attacks
- Deploy Web Application Firewalls (WAF) with updated rulesets specifically targeting LFI/directory traversal patterns
- Conduct immediate security assessment of services running on ports 4443, 8080, and 9001 to identify potential vulnerabilities
- Monitor network traffic for similar LFI attack signatures and directory traversal attempts across all web-facing services
- Review and restrict unnecessary port exposure, particularly non-standard HTTPS ports like 4443 that may indicate custom applications
INITIAL REPORT2026-04-01T08:10:11Z
Source: Analyst Manual Entry
IP address 204.76.203.73 conducted a sustained Local File Inclusion (LFI) campaign from February 21 to March 19, 2026, generating 118 malicious events targeting web applications with directory traversal attacks attempting to access /etc/passwd. This represents a MEDIUM threat level with moderate confidence, consistent with automated vulnerability scanning or exploitation attempts. Organizations should immediately review web application security controls and implement LFI-specific protections.
Technical details
Attack Vector: Local File Inclusion via HTTP directory traversal
Timeline: February 21, 2026 14:00 - March 19, 2026 05:00 (26-day campaign)
Volume: 118 events across 4 unique destination ports
Protocols: HTTP, HTTPS, Modbus, TLS/1.0
MITRE Technique: T1190 (Exploit Public-Facing Application)
Primary Targets: /etc/passwd file access via URL-encoded path manipulation
Attack Patterns: Directory traversal sequences, encoded traversal attempts, direct passwd file access
IOCs: 204.76.203.73 (source IP), HTTP requests to port 8080 with "/etc/passwd" payloads
Novelty Assessment: Low (3/10) - standard LFI techniques with minimal innovation
IOCs
IP:204.76.203.73
Recommendations
- Implement input validation and sanitization for all web application parameters to block directory traversal sequences
- Deploy Web Application Firewall (WAF) rules specifically targeting LFI attack patterns and encoded traversal attempts
- Block traffic from 204.76.203.73 at network perimeter and review logs for successful exploitation attempts
- Conduct vulnerability assessments on public-facing web applications, particularly those listening on non-standard ports
- Enable comprehensive logging for web applications and monitor for suspicious file access patterns targeting system files