Chinese hacker Withered Rose returns

UPDATE: Dominic reminds me that some people might not be as Chinese hacker obsessed as myself and suggests I give some links as to why Withered Rose is important. Whoops on my part! For some background on rose, read here and here.

As mentioned yesterday and updated today, Withered Rose (Tan Dailin) is back to his old haunts; both and websites are up and running again. Just a couple of observations:

1) Rose has done some scrubbing of his personal blog Had to go to the wayback machine to make sure but you can tell a number of posts have been deleted for some reason by comparing the wayback machine to what is listed on the current blog’s archive. Rose has wiped out everything prior to March of 2007 and selectively edited the months still showing.

2) Not sure why but at least four of the new post on are old posts from the blog:


Mghacker 再现社会工程学 (29 Mar 2007)
Ncph 再现社会工程学 (31 May 2008)

[Source: Thedarkvisitor]


Mghacker 3389密码的嗅探 (29 Mar 2007)

Ncph 3389密码的嗅探 (11 May 2008)


Mghacker Rainbow Table 分析 (10 Apr 2007)

Ncph Rainbow Table 分析 (11 May 2008)


Mghacker 获取cuteftp中的ssh密码 (16 May 2007)

Ncph 获取cuteftp中的ssh密码 (11 May 2008)

3) Whois data shows that administrative contact as:

Administrative Contact:
ncph studio
ncph studio ()
si chuan li gong xue yuan
zigong, Sichuan, cn 643000
P: +86.13154663992 F: +86.13154663992

Sichuan Ligong Xueyuan is the Sichuan University of Science and Engineering. Rose founded NCPH while a student at the university. A Chinese hacker going by the name of Rodag, who was also a member of NCPH lists the university as a contact on his blog.

The contact number 86.13154663992, was noted by Jumper in an IRC log:

# jumperon 08 Dec 2007 at 11:04 pm edit this

In the second picture of Rose, he is using a tool called Metasploit on his computer.

IDefense has a lot of stuff on NCPH and Rose. There are a couple of archived webcast videos about them on idefense’ website. I did a bunch of searching and found this funny tidbit:

21:41 gila poyo
21:41 you computer is hack by chinese’s hack infall, shit!
21:41 from my name is tan dailin
21:41 contact us with QQ 5372453 or
21:41 tel:86+0+13154663992
21:41 my blog or
21:41 ~~~~~~~~~~~~~~~~~~~~~~~~~shit! you are a pig !
21:41 i found this in some machine
21:41 haha

It is from an archived IRC log. There isn’t any more context to go off of so I’m not sure who is who in this. Gila poyo is malay but I don’t know what it means.

My guess is the at the two of them are old college buddies.

4) What does this random sampling of information mean? Not much. Just wanted people to be aware that Mr. Rose is back in business and on the internet.