Anyone heard of Webiron?

Discussion in 'The Pub (Off topic discussion)' started by KeithVP, May 2, 2015.

  1. KeithVP

    KeithVP New Member

    May 2, 2015
    So a few hours ago I got an email from a company called "Webiron." They were basically saying that abuse was coming from one of my servers' IPs and they had blocked the IP from accessing their clients' sites. 

    I did a search on them and so far have found nothing. Anyone heard of them? Are they even a legit company?
    webiron likes this.
  2. MannDude

    MannDude Just a dude vpsBoard Founder Moderator

    Mar 8, 2013
    It would appear so. But regardless if they are 'legitimate' or not, did you investigate the abuse claim? Probably best to review that first.
  3. KeithVP

    KeithVP New Member

    May 2, 2015
    Hey MannDude thanks for the response.

    Yes, I did investigate and found nothing suspicious, hence this thread. :)

    Looking for more input from other users.
    MannDude likes this.
  4. DomainBop

    DomainBop Dormant VPSB Pathogen

    Oct 11, 2013
    Legit (despite the UPS store address). Arizona LLC.  Co-founder worked at GoDaddy for 3 years as Senior Engineer of Hosting Security Development and before that spent 13 years as the CTO of Internet Commerce Group ( ICG is probably better known by the names of some of the high traffic websites it operated like this one)

    WebIron was incorporated 7 months ago and the service is still in beta so there's always the chance of a false positive...

    The service they're developing does look useful (although it would sadly block the entire ColoCrossing and Ecatel networks and all of their wonderful users).   The beta only supports servers running RHEL/CentOS 6/7...hopefully they'll expand the supported OS list.
    webiron and KeithVP like this.
  5. webiron

    webiron New Member

    May 8, 2015
    Just saw this post and wanted to stop by and say hello. Thanks for starting this discussion!

    We are new and started bootstrapped with 2 guys. Currently Webiron service contains around 360,000 lines of code into the product. The abuse reporting platform is constantly changing (sometimes many times a day) as we continue on. Constructive feedback is definitely crucial and welcome. It launched on April 28th.

    Since your first post we've implemented a do not report whitelist, better rate limits (ie we have minimum thresholds to meet before mail will be sent), only send web reports generated by traffic by our WAF (customers blocking entire countries through the network management software were generating a lot of false reports), only sent network reports for blocks to sensitive services generally used for abuse like SSH, MySQL, PostgreSQL, proxy ports etc. Over time these configs will be changed and appended to until we get the best outcome.

    Just to clarify some things.

    We do not block entire networks in our products. Our software is written to detect and block automation based on settings our customers configure the product with. It also supports many other features, ie spam, malware at the upload and  pre-execution stages including code injection malware). It does so based on learning algorithms based on the application and how it behaves. Some legit automation does get caught and blocked and due to configurability of the product we are not in control of this. We do however control who and when to send abuse. If we find automation software to be legit we have an ip/cidr whitelist that skips reporting. This will also ensure you don't end up on WARB.

    WARB (our available blacklist) is a real-time configurable list that rates abuse departments on how effect they are at handling issues. It returns either IP, CIDR or ASN as well as abuse persistence by percentage (our emails have rate limits and batch abuse in 10 min increments) and the queried poll rate. You with the private API (free with registration) you can poll sample rates of 10 minutes, 30 minutes, hour, day, weekly and monthly. The public (non-registration IP rate limited) API only lists companies with 50% or higher persistence for abuse over the given poll time(hourly or daily poll rates). The intent is so have a list that holds networks accountable for their abuse issues and provide protection for those who do not want traffic from those who aren't responsible. The sample PHP API shows how it can be used to protect a PHP website querying based on percentage threshold to allow users to balance their own judgments. It is a fully automated list and as companies handle their issues they drop off it. It is also not integrated into our network management or WAF products. You can find more information at WARB has only been online now for about a week.

    With my experience over the years I've worked with dozens of SOC departments either externally or internally and found a great difference in the coulture of abuse and how it is handled. From the meh who cares to the ontop of it. It makes a difference. It's one internet companies should learn it's important to be a good neighbor.

    Issues with Colocrossing:

    We have a test case where a consultant had to kill his own website on his own server as a bot describing itself as google was brute forcing xmlrpc.php to the point the server consistently crashed with load averages upwards of ~250+.  It was ran by several nodes solely on this provide since August. Since installing Webiron and blocking the abuse the site was restored and the server load averages stays around ~0.40 - ~0.90. When the abuse reporting went online it took Colocrossing well over a week to start to take action hence why they made WARB. They are still having problems but seems to be tackling the issues with a bit more rigor now. I take this as a sign reporting is working as the last few days are the only sign of the attacks subsiding since they started 7 months ago.

    Issues with Ecatel:

    We have a similar issue with this provider. Also attacking xmlrpc.php but this bot is brute forcing authentication information on about ~20 or so sites (that we know about) identifying itself as MSIE 7.0. It’s also a slower bot that most likely has little issue getting through most IDS/IPS devices. They have done nothing to curb the abuse at this point so they continue to persist on the list. This bot also seen has been seen on several other providers as well however attacks from those providers seemed to have stopped.

    As stated previously we welcome construtive comments and feel they're crucial to assiting us in getting this stuff right. Please don't hesitate to contact us with any issues, comments, or concerns.

    We're also working on provide provider loopback services to alert providers when there are extenal issues again the space so SOC departments can see what is getting through upstream protection (if it exists). IE REST or MQ push feeds. This would would most likely be a free service.

    You can contact me directly at j _--_


    KeithVP and DomainBop like this.
  6. John Bennett

    John Bennett New Member

    Jul 18, 2017
    I have also just recieved such an e-mail from these on behalf thy say of TalkTalk my provider, How ever TalkTalk seem a little baffled as to why. I sent the E-mail to there team for investgation. Webiron basicly says someone recieved a virus email from my ISP address ? As i regularly scan my system twice a week i have found no such virus, and i have sent no E-mails to anyone ? Rather baffles me as to WHY thy sent this to my email account ?
  7. HBAndrei

    HBAndrei Active Member Verified Provider

    May 1, 2014
    Can you post email here? or a screenshot of it? Of course hide any sensitive info in it.
    I'm just curious.
    John Bennett likes this.
  8. John Bennett

    John Bennett New Member

    Jul 18, 2017
    Yeah no probs nothing to hide

    From: Customer Security Team <[email protected]>
    Sent: 17 July 2017 09:42
    To: [email protected]
    Subject: Re: [Ticket#2017071564007678] Security Alert from Talk Talk Customer
    Security Team

    Follow Up Flag: Follow up
    Flag Status: Flagged

    Dear MR J BENNETT,

    We have received a complaint from an Internet user concerning alleged access attempts, or network related scans.
    From the log information supplied it would appear to be the activity of a Virus or Trojan. The source of this activity has
    been traced back to your account. Therefore we would like you to fully scan and if necessary clean your system(s).

    Please reply to this email letting us know that your system or systems have been fully virus scanned and have been
    cleared of any infections.

    Temporary account suspension may be necessary in cases where the incident is causing problems to our

    Copy of original complaint:

    15/07/2017 18:30 - Webiron Abuse Team wrote:


    === You are receiving this e-mail in regard to abuse issues against our clients coming from the host at IP === (think this is mine IP not sure not even checked it but x it out)

    --- Automated Message - To get a response or report issues with the reports, please see the contact info
    below. ---
    --- Report details are at the bottom of the e-mail. For web attacks see the "bot" links for more details about
    the attack. ----

    Webiron is a security service and this e-mail is being sent on behalf of our customers. We do not control how our
    clients configure their protection and as a result do not control how blocks and bans are generated.

    We are committed to providing useful information on abuse issues on behalf of our clients to help stop issues related
    to issues that seem to originate from within your network.

    We value your time and effort and appreciate your assistance in handling these issues!

    If you are responsible for abuse issues however the IP being reported does not belong to you, please open a ticket or
    email us to let us know of the error and we'll correct it as soon as possible.

    Please note due to the retaliatory nature of attackers and the abundance of internet abuse havens and fake hosting
    companies, we do not give out the exact IP of our clients. If you require further assistance we will be more than happy
    to work with you. Just open a ticket our contact us with the details below.

    -- Who We Are --
    A little about our service, we are a server protection solution designed to help hosting companies, their customers,
    and SoC departments improve their system security, stability and lower TCO and support costs.

    Please feel free to send us your comments or responses. If you are inquiring for more information you must disclosed
    the offending IP. To contact us via e-mail, use [email protected], however if you require a ticket tracked
    response you can open one at our SOC ticket system.

    -- Abuse Criteria --
    To be considered abusive, a bot must either be a clear danger (IE: exploit attempts, flooding, etc) or match at least
    two items from the list

    -- Removal Requests --
    To be removed entirely from future reports reply to this e-mail with REMOVE (in all caps) in the subject line. Please
    note this will only stop the e-mail to the address the e-mail was sent to and public notices will remain as your abuse
    address will be listed on our BABL blacklist.

    -- Feed/History Links --
    IP Abuse Feed:
    IP Detailed Information:
    Your Abuse Report History:[email protected]

    --- Blacklist Warning ---
    In an ongoing effort to stop chronic abuse we maintain several blacklists available as flat data or free public DNSRBL.

    For more information see:

    To check the blacklist status of the offending IP, see:

    -- NEW --
    We have now opened access to our RBL API allowing direct access to the entire RBL database. For more
    information please see:

    Thank you for your support,

    The WebIron Team

    *** Note *** - All times are in America/Phoenix (-07:00)

    Unwanted and or Abusive Web Requests:

    Offending/Source IP:
    - Issue: Source has attempted the following botnet activity: WordPress XMLRPC Dataminer
    - Block Type: New Ban
    - Time: 2017-07-15 10:31:40-07:00
    - Port: 80
    - Service: http
    - Report ID: 36368e50-26a3-4e72-923a-19af1f0ed1e9
    - Bot Fingerprint: 806eb3b8ce85bf7e127dea05994aa204
    - Bot Information:
    - Bot Node Feed:
    - Abused Range:
    - Requested URI: /xmlrpc.php
    - User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1

    - Issue: Source has attempted the following botnet activity: WordPress Login Brute Force
    - Block Type: Banned IP
    - Time: 2017-07-15 10:31:40-07:00
    - Port: 80
    - Service: http
    - Report ID: ffcfeaae-ce3b-4e0d-94a8-262dce3f67c4
    - Bot Fingerprint: 78c5e7c8e2bf89b015688ee6cb512412
    - Bot Information:
    - Bot Node Feed:
    - Abused Range:
    - Requested URI: /wp-login.php
    - User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1
    - GET/POST Arguments Sent: pwd, wp-submit, testcookie, log

    - Issue: Source has attempted the following botnet activity: WordPress Login Brute Force
    - Block Type: Banned IP
    - Time: 2017-07-15 10:31:40-07:00
    - Port: 80
    - Service: http
    - Report ID: 9302eb23-1e38-499f-a299-7580dcfbd2b6
    - Bot Fingerprint: 78c5e7c8e2bf89b015688ee6cb512412
    - Bot Information:
    - Bot Node Feed:
    - Abused Range:
    - Requested URI: /wp-login.php
    - User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1
    - GET/POST Arguments Sent: pwd, wp-submit, testcookie, log

    Hope it helps anyone else.
    I have checked with TalkTalk and thy were looking into it.
  9. stephon

    stephon New Member

    Oct 31, 2017
    Why don't you check out their main website and contact their support team to get your issue resolved.
  10. IWSNetworks

    IWSNetworks New Member

    Oct 9, 2017
    Does the issue fixed ?
    I'm wondering to know more about this site and issue ?