amuck-landowner

Anyone heard of Webiron?

KeithVP

New Member
So a few hours ago I got an email from a company called "Webiron." They were basically saying that abuse was coming from one of my servers' IPs and they had blocked the IP from accessing their clients' sites. 

I did a search on them and so far have found nothing. Anyone heard of them? Are they even a legit company?
 

MannDude

Just a dude
vpsBoard Founder
Moderator
It would appear so. But regardless if they are 'legitimate' or not, did you investigate the abuse claim? Probably best to review that first.
 

KeithVP

New Member
Hey MannDude thanks for the response.

Yes, I did investigate and found nothing suspicious, hence this thread. :)

Looking for more input from other users.
 

DomainBop

Dormant VPSB Pathogen
I did a search on them and so far have found nothing. Anyone heard of them? Are they even a legit company?
Legit (despite the UPS store address). Arizona LLC.  Co-founder worked at GoDaddy for 3 years as Senior Engineer of Hosting Security Development and before that spent 13 years as the CTO of Internet Commerce Group ( ICG is probably better known by the names of some of the high traffic websites it operated like this one)

Yes, I did investigate and found nothing suspicious,
WebIron was incorporated 7 months ago and the service is still in beta so there's always the chance of a false positive...

The service they're developing does look useful (although it would sadly block the entire ColoCrossing and Ecatel networks and all of their wonderful users).   The beta only supports servers running RHEL/CentOS 6/7...hopefully they'll expand the supported OS list.
 

webiron

New Member
Just saw this post and wanted to stop by and say hello. Thanks for starting this discussion!

We are new and started bootstrapped with 2 guys. Currently Webiron service contains around 360,000 lines of code into the product. The abuse reporting platform is constantly changing (sometimes many times a day) as we continue on. Constructive feedback is definitely crucial and welcome. It launched on April 28th.

Since your first post we've implemented a do not report whitelist, better rate limits (ie we have minimum thresholds to meet before mail will be sent), only send web reports generated by traffic by our WAF (customers blocking entire countries through the network management software were generating a lot of false reports), only sent network reports for blocks to sensitive services generally used for abuse like SSH, MySQL, PostgreSQL, proxy ports etc. Over time these configs will be changed and appended to until we get the best outcome.

Just to clarify some things.


We do not block entire networks in our products. Our software is written to detect and block automation based on settings our customers configure the product with. It also supports many other features, ie spam, malware at the upload and  pre-execution stages including code injection malware). It does so based on learning algorithms based on the application and how it behaves. Some legit automation does get caught and blocked and due to configurability of the product we are not in control of this. We do however control who and when to send abuse. If we find automation software to be legit we have an ip/cidr whitelist that skips reporting. This will also ensure you don't end up on WARB.

WARB (our available blacklist) is a real-time configurable list that rates abuse departments on how effect they are at handling issues. It returns either IP, CIDR or ASN as well as abuse persistence by percentage (our emails have rate limits and batch abuse in 10 min increments) and the queried poll rate. You with the private API (free with registration) you can poll sample rates of 10 minutes, 30 minutes, hour, day, weekly and monthly. The public (non-registration IP rate limited) API only lists companies with 50% or higher persistence for abuse over the given poll time(hourly or daily poll rates). The intent is so have a list that holds networks accountable for their abuse issues and provide protection for those who do not want traffic from those who aren't responsible. The sample PHP API shows how it can be used to protect a PHP website querying based on percentage threshold to allow users to balance their own judgments. It is a fully automated list and as companies handle their issues they drop off it. It is also not integrated into our network management or WAF products. You can find more information at https://www.webiron.com/warb.html WARB has only been online now for about a week.

With my experience over the years I've worked with dozens of SOC departments either externally or internally and found a great difference in the coulture of abuse and how it is handled. From the meh who cares to the ontop of it. It makes a difference. It's one internet companies should learn it's important to be a good neighbor.


Issues with Colocrossing:

We have a test case where a consultant had to kill his own website on his own server as a bot describing itself as google was brute forcing xmlrpc.php to the point the server consistently crashed with load averages upwards of ~250+.  It was ran by several nodes solely on this provide since August. Since installing Webiron and blocking the abuse the site was restored and the server load averages stays around ~0.40 - ~0.90. When the abuse reporting went online it took Colocrossing well over a week to start to take action hence why they made WARB. They are still having problems but seems to be tackling the issues with a bit more rigor now. I take this as a sign reporting is working as the last few days are the only sign of the attacks subsiding since they started 7 months ago.

Issues with Ecatel:

We have a similar issue with this provider. Also attacking xmlrpc.php but this bot is brute forcing authentication information on about ~20 or so sites (that we know about) identifying itself as MSIE 7.0. It’s also a slower bot that most likely has little issue getting through most IDS/IPS devices. They have done nothing to curb the abuse at this point so they continue to persist on the list. This bot also seen has been seen on several other providers as well however attacks from those providers seemed to have stopped.

As stated previously we welcome construtive comments and feel they're crucial to assiting us in getting this stuff right. Please don't hesitate to contact us with any issues, comments, or concerns.

We're also working on provide provider loopback services to alert providers when there are extenal issues again the space so SOC departments can see what is getting through upstream protection (if it exists). IE REST or MQ push feeds. This would would most likely be a free service.

You can contact me directly at j _--_ webiron.com

-John

Twitter: https://www.twitter.com/webiron
 

John Bennett

New Member
I have also just recieved such an e-mail from these on behalf thy say of TalkTalk my provider, How ever TalkTalk seem a little baffled as to why. I sent the E-mail to there team for investgation. Webiron basicly says someone recieved a virus email from my ISP address ? As i regularly scan my system twice a week i have found no such virus, and i have sent no E-mails to anyone ? Rather baffles me as to WHY thy sent this to my email account ?
 

HBAndrei

Active Member
Verified Provider
I have also just recieved such an e-mail from these on behalf thy say of TalkTalk my provider, How ever TalkTalk seem a little baffled as to why. I sent the E-mail to there team for investgation. Webiron basicly says someone recieved a virus email from my ISP address ? As i regularly scan my system twice a week i have found no such virus, and i have sent no E-mails to anyone ? Rather baffles me as to WHY thy sent this to my email account ?

Can you post email here? or a screenshot of it? Of course hide any sensitive info in it.
I'm just curious.
Thanks.
 

John Bennett

New Member
Yeah no probs nothing to hide

From: Customer Security Team <[email protected]>
Sent: 17 July 2017 09:42
To: [email protected]
Subject: Re: [Ticket#2017071564007678] Security Alert from Talk Talk Customer
Security Team

Follow Up Flag: Follow up
Flag Status: Flagged

Dear MR J BENNETT,

We have received a complaint from an Internet user concerning alleged access attempts, or network related scans.
From the log information supplied it would appear to be the activity of a Virus or Trojan. The source of this activity has
been traced back to your account. Therefore we would like you to fully scan and if necessary clean your system(s).

Please reply to this email letting us know that your system or systems have been fully virus scanned and have been
cleared of any infections.

Temporary account suspension may be necessary in cases where the incident is causing problems to our
network.

Copy of original complaint:

15/07/2017 18:30 - Webiron Abuse Team wrote:

Hello!

=== You are receiving this e-mail in regard to abuse issues against our clients coming from the host at IP
78.xxx.xx.xxx. === (think this is mine IP not sure not even checked it but x it out)

--- Automated Message - To get a response or report issues with the reports, please see the contact info
below. ---
--- Report details are at the bottom of the e-mail. For web attacks see the "bot" links for more details about
the attack. ----

Webiron is a security service and this e-mail is being sent on behalf of our customers. We do not control how our
clients configure their protection and as a result do not control how blocks and bans are generated.

We are committed to providing useful information on abuse issues on behalf of our clients to help stop issues related
to issues that seem to originate from within your network.

We value your time and effort and appreciate your assistance in handling these issues!

If you are responsible for abuse issues however the IP being reported does not belong to you, please open a ticket or
email us to let us know of the error and we'll correct it as soon as possible.

Please note due to the retaliatory nature of attackers and the abundance of internet abuse havens and fake hosting
companies, we do not give out the exact IP of our clients. If you require further assistance we will be more than happy
to work with you. Just open a ticket our contact us with the details below.

-- Who We Are --
A little about our service, we are a server protection solution designed to help hosting companies, their customers,
and SoC departments improve their system security, stability and lower TCO and support costs.

Please feel free to send us your comments or responses. If you are inquiring for more information you must disclosed
the offending IP. To contact us via e-mail, use [email protected], however if you require a ticket tracked
response you can open one at our SOC ticket system.

-- Abuse Criteria --
To be considered abusive, a bot must either be a clear danger (IE: exploit attempts, flooding, etc) or match at least
two items from the list

-- Removal Requests --
To be removed entirely from future reports reply to this e-mail with REMOVE (in all caps) in the subject line. Please
note this will only stop the e-mail to the address the e-mail was sent to and public notices will remain as your abuse
address will be listed on our BABL blacklist.

-- Feed/History Links --
IP Abuse Feed: https://www.webiron.com/abuse_feed/78.144.42.159
IP Detailed Information: https://www.webiron.com/iplookup/78.144.42.159
Your Abuse Report History: https://www.webiron.com/abuse_feed/[email protected]

--- Blacklist Warning ---
In an ongoing effort to stop chronic abuse we maintain several blacklists available as flat data or free public DNSRBL.

For more information see: https://www.webiron.com/rbl.html

To check the blacklist status of the offending IP, see: https://www.webiron.com/iplookup/78.144.42.159

-- NEW --
We have now opened access to our RBL API allowing direct access to the entire RBL database. For more
information please see: https://www.webiron.com/rbl.html

Thank you for your support,

The WebIron Team


*** Note *** - All times are in America/Phoenix (-07:00)


Unwanted and or Abusive Web Requests:

Offending/Source IP: 78.144.42.159
- Issue: Source has attempted the following botnet activity: WordPress XMLRPC Dataminer
- Block Type: New Ban
- Time: 2017-07-15 10:31:40-07:00
- Port: 80
- Service: http
- Report ID: 36368e50-26a3-4e72-923a-19af1f0ed1e9
- Bot Fingerprint: 806eb3b8ce85bf7e127dea05994aa204
- Bot Information: https://www.webiron.com/bot_lookup/806eb3b8ce85bf7e127dea05994aa204
- Bot Node Feed: https://www.webiron.com/bot_feed/806eb3b8ce85bf7e127dea05994aa204
- Abused Range: 5.133.182.0/24
- Requested URI: /xmlrpc.php
- User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1

- Issue: Source has attempted the following botnet activity: WordPress Login Brute Force
- Block Type: Banned IP
- Time: 2017-07-15 10:31:40-07:00
- Port: 80
- Service: http
- Report ID: ffcfeaae-ce3b-4e0d-94a8-262dce3f67c4
- Bot Fingerprint: 78c5e7c8e2bf89b015688ee6cb512412
- Bot Information: https://www.webiron.com/bot_lookup/78c5e7c8e2bf89b015688ee6cb512412
- Bot Node Feed: https://www.webiron.com/bot_feed/78c5e7c8e2bf89b015688ee6cb512412
- Abused Range: 5.133.182.0/24
- Requested URI: /wp-login.php
- User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1
- GET/POST Arguments Sent: pwd, wp-submit, testcookie, log

- Issue: Source has attempted the following botnet activity: WordPress Login Brute Force
- Block Type: Banned IP
- Time: 2017-07-15 10:31:40-07:00
- Port: 80
- Service: http
- Report ID: 9302eb23-1e38-499f-a299-7580dcfbd2b6
- Bot Fingerprint: 78c5e7c8e2bf89b015688ee6cb512412
- Bot Information: https://www.webiron.com/bot_lookup/78c5e7c8e2bf89b015688ee6cb512412
- Bot Node Feed: https://www.webiron.com/bot_feed/78c5e7c8e2bf89b015688ee6cb512412
- Abused Range: 5.133.182.0/24
- Requested URI: /wp-login.php
- User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1
- GET/POST Arguments Sent: pwd, wp-submit, testcookie, log

Hope it helps anyone else.
I have checked with TalkTalk and thy were looking into it.
 

stephon

New Member
So a few hours ago I got an email from a company called "Webiron." They were basically saying that abuse was coming from one of my servers' IPs and they had blocked the IP from accessing their clients' sites.

I did a search on them and so far have found nothing. Anyone heard of them? Are they even a legit company?
Why don't you check out their main website and contact their support team to get your issue resolved.
 
Top
amuck-landowner