If you’re visiting because you are investigating a phishing scam and found a link to this site on the scammers computer, this page will hopefully clear things up. I’m terribly sorry that you’re in this mess and I’ll do what I can to help. Be sure to read this entire document before contacting me or you’ll be directed back here.

First, please calm down before you send me any further emails. Many of the responses to this situation are severe overreactions and if you write or call, screaming and cursing at me, I’m just going to delete your voicemail or email and move on with my day.

I also assure you that threatening to send my name to the FBI, Social Security Administration, Secret Service or any other federal agency will NOT change my responses. That’s because I’ve spoken with nearly every one of the agencies you’re likely to threaten me with. And, after I explain what exactly is going on, I’ve been sent along my way. If you’re dead certain that you need to “turn me in”, I’ll give you the numbers of the local agents that are the best to work with and maybe they can explain it to you in a way I can’t.

How You Probably Got Here

There are 2 scenarios that I get contacted about on this issue:

1. Someone finds an IP address in their firewall/intrustion-detection-software or other log file that indicates nefarious port scanning or other attempts at intrusion.
2. A fake link to a bank/Ebay/credit union/other phishing style page comes in an email. These phishing emails often have an IP address as the base address of the link.

In both cases, what people do is to put the IP address in question by itself (minus any of the extra directory and page information) into their browser in order to “see” what computer is involved. The next thing they see is a page containing “Welcome to PHPTriad” and a link to PHPGeek.com. From there, people choose various methods to contact me about the offending computer. Usually, they indicate that “my” site/computer is at fault or involved.

The Basic Answer

The page you’ve seen is the default page from a web server software package. It just happens to be a publicly visible peek into the software that the offending computer is running. Similarly, ALL of these computers are also running Windows from Microsoft. Unfortunately, my involvement and association with these computers is identical to Microsoft’s.

An otherwise perfectly legitimate tool is being used for crime. Consider someone writing a bomb threat in Microsoft Word, on Microsoft Windows on a Dell laptop, printed on a Canon printer before being delivered. The tools all “enabled” the crime, but the VAST majority of users of all of those technologies have done nothing wrong and use those tools daily.

I’m in the unfortunate situation that would be analogous to that bomb threat letter having “Printed by Canon http://www.canon.com” on the bottom of the letter. It’s an obvious place to start looking, but Canon’s not going to have any idea who wrote the letter.

Approximately 3.5 million people have downloaded PHPTriad over the last few years, and at least 3.49 million of them haven’t done anything illegal or even unethical. However, in any group of 3.5 million people, you’ve got some bad apples. Unfortunately, you found them.

They downloaded the free tool (I don’t have any records of who downloaded) and are running it on the offending computer. Because they never changed the default web page in the package, it’s visible to the world. That page is usually changed by the person who installed it and is intended to help *them* use the tool.

As a result, I really have NO connection to the computer in question and can’t do anything that you can’t do yourself.

So, What Should I Do?

The only people who can easily pull the computer off of the Internet are the ISP’s that these computers connect through. That usually means you need to figure out where the computer actually is.

If you’re using Windows, you can trace the path between your computer and theirs by:

1. Start->Run->cmd.exe [ENTER]
2. Type “tracert”, a space and then the IP address in question.

What you’ll see is all of the computers between you and them. The first line will tell you what ISP they’re using:

Tracing route to c-76-101-71-85.hsd1.fl.comcast.net [IPADDRESS]
over a maximum of 30 hops:

If you look at the bit just before the IPADDRESS, you’ll see that, in this example, Comcast.net is the ISP in question. That’s the only “person” who can shut the site down. That’s who the police or other agency would actually tell to shut the site down. Most of the offenders are coming from DSL and cable ISP’s.

Note, however, that these addresses can be assigned to different people at different times. So, while the offender may have had that IP address when you were attacked 6 weeks ago, today someone who had no involvement might have it.

So, what you need to do when going to a company like Comcast is to document the IP address and the time and date that the offense itself took place. Comcast can then determine who had the IP address at that time and move forward.

You’ll want to also provide them with either the phishing email or the intrusion log file to indicate what happened. If the IP address is outside the United States (more common than you might think), I don’t know of anyone who has actually gotten much action on the issue, sorry.

Overall, the above steps are what I’ve done in similar situations and I don’t have any more information on your offender than that. If you still need to contact me, feel free, but I probably can’t help much more.