45.148.10.23

Summary (Bottom Line Up Front)

Internet-facing sensors observed medium-severity reconnaissance activity from IP 45.148.10.23 (Netherlands/AS48090) conducting Local File Inclusion (LFI) attacks targeting Git configuration files and vulnerability scanning across 27 events over a 12-hour period from February 26-27, 2026. The threat actor demonstrated focused reconnaissance behavior attempting to access sensitive version control metadata, consistent with initial attack phase activities. Assessment: Medium threat level with 95% confidence based on targeted LFI techniques and systematic scanning patterns.

HTTP TCP TCP/SYN TLS/1.0 auto

WEB_EXPLOITER LFI SCANNER

Activity Timeline

UPDATE 22026-03-14T12:37:03Z

Source: Analyst Manual Entry

New findings

The threat actor employed HTTP-based Local File Inclusion techniques mapped to MITRE ATT&CK T1083 (File and Directory Discovery) to probe for exposed Git repository metadata. Traffic analysis revealed attempts to access `.git/config` files and other version control artifacts that could expose repository URLs, deployment configurations, or embedded credentials. The actor utilized multiple protocols including HTTP, TCP, TCP/SYN, and legacy TLS/1.0 connections across 2 unique destination ports. Primary attack patterns included `lfi_sensitive_config` and `scan_vuln_paths` techniques, each generating 3 hits during the observation period. No CVE-specific exploits were identified, with zero-day probability assessed at 5%. The source IP 45.148.10.23 registered a maximum AbuseIPDB reputation score of 100/100, indicating established malicious infrastructure.

UPDATE 12026-03-10T13:30:43Z

Source: Analyst Manual Entry

Threat actor operating from IP 45.148.10.23 (Netherlands/AS48090) conducted Local File Inclusion attacks targeting Git configuration files over a 12-hour period from February 26-27, 2026. Assessment: MEDIUM threat level with 95% confidence, representing typical web application reconnaissance activity. Organizations should immediately audit exposed Git metadata and implement path traversal protections.

New findings

The attacker executed 27 events across HTTP, TCP, and TLS/1.0 protocols targeting 2 unique destination ports. Primary techniques included Local File Inclusion (LFI) attacks specifically targeting sensitive configuration files and vulnerability scanning operations. Activity maps to MITRE ATT&CK technique T1083 (File and Directory Discovery) within the Reconnaissance phase of the cyber kill chain. The source IP maintains a maximum AbuseIPDB reputation score of 100/100, indicating established malicious activity. Attack patterns focused on lfi_sensitive_config and scan_vuln_paths signatures, each generating 3 hits during the observation window.

Recommendations

Implement immediate blocking of IP 45.148.10.23 and monitor for additional activity from AS48090 (TECHOFF SRV LIMITED)
Conduct urgent audit of web applications for exposed .git directories, configuration files, and version control metadata
Deploy path traversal filtering and input validation controls to prevent Local File Inclusion attacks
Review web server configurations to ensure sensitive files are not accessible via HTTP requests
Monitor for T1083 File and Directory Discovery techniques and establish detection rules for Git metadata enumeration attempts

INITIAL REPORT2026-03-10T00:10:40Z

Source: Analyst Manual Entry

Malicious activity detected from 45.148.10.23 (AD, AS48090). 23 events observed across HTTP, TCP, TCP/SYN, TLS/1.0, auto. AI verdict: MEDIUM.

Technical details

Protocols: HTTP, TCP, TCP/SYN, TLS/1.0, auto

Attack types: LFI, SCANNER

Unique destination ports: 2

Active window: 2026-02-26 23:27:33.424052 to 2026-02-27 11:42:59.239317

Top patterns: lfi_sensitive_config, scan_vuln_paths

Associated CVEs: null

IOCs

IP:45.148.10.23

ASN:48090

COUNTRY:AD

Recommendations

Block 45.148.10.23 at perimeter firewall
Monitor other traffic from AS48090
Review correlated attacker profiles for campaign links