89.42.231.182

Summary (Bottom Line Up Front)

High-confidence Local File Inclusion (LFI) attack campaign observed from 89.42.231.182 (Netherlands/Amarutu Technology Ltd) targeting web applications with directory traversal techniques to access sensitive system files. Assessment: HIGH threat level with 95% confidence based on 146 attack events over 17-day period targeting multiple protocols. Immediate blocking and input validation hardening recommended.

HTTP TCP TCP/SYN TLS/1.0 auto https https_tls_handshake smtp

WEB_EXPLOITER LFI

Activity Timeline

INITIAL REPORT2026-03-23T13:05:12Z

Source: Analyst Manual Entry

Technical details

Source: 89.42.231.182 (AS206264 Amarutu Technology Ltd, Netherlands)
Campaign Duration: March 6-23, 2026 (17 days active)
Attack Volume: 146 total events across 6 unique destination ports
Primary Technique: Local File Inclusion via URL-encoded directory traversal (MITRE T1083 - File and Directory Discovery)
Target Protocols: HTTP, HTTPS, TLS 1.0, SMTP, TCP
Kill Chain Phase: Reconnaissance
Key Indicators: Classic LFI patterns including "../../../../../../" traversal sequences and attempts to access /etc/passwd
AbuseIPDB Score: 100/100 (maximum threat rating)
Attack Sophistication: Medium - uses encoded path separators to bypass basic input filters

IOCs

IP:89.42.231.182

ASN:206264

COUNTRY:NL

Recommendations

Block source IP 89.42.231.182 and monitor for additional IPs from AS206264 Amarutu Technology Ltd
Implement strict input validation and sanitization for all user-supplied parameters, especially file path inputs
Deploy Web Application Firewall (WAF) rules to detect and block directory traversal patterns including URL-encoded variants
Audit web applications for Local File Inclusion vulnerabilities and apply security patches immediately
Monitor logs for similar LFI attack patterns targeting /etc/passwd and other sensitive system files across ports 80, 443, 6443, and SMTP services

medium LFI HTTP:6443

../../../../../../