Dec 08 2007

A Rose by Any Other Name…Sometimes, Not So Sweet!

Who is this guy?



        He is the “Withered Rose”. Just as mentioned in Time’s article, his website is undergoing renovation and my guess is that it will be doing so for a good long time. However, his blog is up and doing well. The new site is at and has been running since March of 2007. The mg probably stands for Mei Gui (玫瑰), the Pinyin for Rose in Chinese. Won’t go into too much detail about all the stuff on his blog since the most important stuff has been covered but it does contain some note worthy stuff.

        My guess is the Time’s reporter had some sort of agreement with Rose and his buddies not to take their photos for the article…me, no such agreement:


Withered Rose

More pictures of the happy hacker crew here and here.


        Never understand why Chinese hackers refuse to put a picture in their “About” page but then plaster them all over their website…who knows.

Blog name: Withered Rose’s Blog

Website Admin’s nickname: Withered Rose

Age: 23

Sex: Male

Blood type: (What the hell?) Either way, Withered Rose ain’t tellin’.

Your sign: Not giving this up either

Address: Chengdu

Personal Quote: “The pursuit of hacker technology is my life.”

Hobbies: Computers/Networks/Traveling/Hot Chicks (Yeah…)

        One of the first posts on his blog, is the most revealing and damning things I have ever seen a Chinese hacker write. It is very different from the interview provided to the Time’s reporter, although I thought he (the reporter) put enough sarcasm in the article to show how much he believed what they were saying.

NOTE: This is not a verbatim translation, just a gist of what I consider the important points.

        According to Rose, it is 3:00am and he has been gaming. Rose checks on the penetration results of the targeted computer. Just a hacker’s job he explains. This is where it starts to get good. “True professional hackers don’t hack inside the country (China) because China is too poor and there is no money in it; furthermore, it is also very dangerous.” Guess I don’t have to list this guy under patriotic hackers. Rose doesn’t know if he is a professional hacker but feels he is progressing.

        Rose goes on to say that the days of attacking the single server are over, that the interconnected servers don’t have any significant data. All of the big name companies, organizations, major governments, militaries, and Sci-Tech organizations all have their own file servers.

        Rose’s preferred method of attack is through social engineering and he says he has plenty of experience at it. First you get the sensitive information off the organization or institute’s public website. This period is called the collection stage. He notes that all the large companies maintain employee databases and that these contain the userids, passwords and mailboxes. Using the user’s identification you can search on the internet to find out where they go and what they do. It is important to do analysis on the userids of the major figures. It is possible to obtain their login and password at other sites they visit.

        According to Rose, mailboxes are the most useful. You can get thousands of mailbox addresses from one database. Next, simply send out thousands of emails with Trojans attached and one or more of the employees is going to open it.



30 responses so far

30 Responses to “A Rose by Any Other Name…Sometimes, Not So Sweet!”

  1. jumperon 08 Dec 2007 at 5:00 pm

    [Wicked | Withered] Rose. Do I get a prize or something. Oh wait – the prize is in the mail. Thanks again by the way. Enjoy the mall. I just came from there and it was not fun. Elbow-to-elbow.

  2. Heikeon 08 Dec 2007 at 8:34 pm


    Actually, I owe you once/twice again. You were the first one who told me this guys was a major player and…you were DOBA about the mall. God, that was horrible. If I had listened to you on either of these two calls, I could have got a jump on Time Magazine and avoided the mayhem that was shopping today.

  3. jumperon 08 Dec 2007 at 11:04 pm

    In the second picture of Rose, he is using a tool called Metasploit on his computer.

    IDefense has a lot of stuff on NCPH and Rose. There are a couple of archived webcast videos about them on idefense’ website. I did a bunch of searching and found this funny tidbit:

    21:41 gila poyo
    21:41 you computer is hack by chinese’s hack infall, shit!
    21:41 from my name is tan dailin
    21:41 contact us with QQ 5372453 or
    21:41 tel:86+0+13154663992
    21:41 my blog or
    21:41 ~~~~~~~~~~~~~~~~~~~~~~~~~shit! you are a pig !
    21:41 i found this in some machine
    21:41 haha

    It is from an archived IRC log. There isn’t any more context to go off of so I’m not sure who is who in this. Gila poyo is malay but I don’t know what it means.

  4. Heikeon 08 Dec 2007 at 11:35 pm


    First, you are a research animal. Second, hate to ask you for favor number gazillon, but if you have some free-time could you look at his post at and They are divided about 50/50 between Chinese and Computerese, so I just gave up on trying to translate them. They may or may not be important but I bow to your expertise to determine that. Anytime a Chinese hacker talks about attacking a US website it peaks my interest.

  5. slayersheron 10 Dec 2007 at 12:38 pm

    i was just wondering is anyone would still have some of there programs im interested in seeing how they worked.

    also jumper good recon

  6. Heikeon 10 Dec 2007 at 1:16 pm


    Afraid I can’t help you but Jumper may have the answer. As soon as Jumper starts charging for his tech services I’ll go broke! :)

  7. jumperon 10 Dec 2007 at 10:17 pm

    @Slayersher – if by “they” you mean NCPH, their old site (not up right now) had some tools like ginwui. It isn’t up anymore so you might check for ginwui.

  8. [...] that says it all! Went looking to find the whereabouts of Whithered Rose, who has compeltely disappeared from the Web [...]

  9. 回声on 17 Feb 2008 at 2:35 pm

    FYI as of 2/08’s IP address is set to loopback although the domain doesn’t expire until june.

  10. jumperon 20 Feb 2008 at 12:53 pm is also set to However, is set to and has a MS FTP server running on it. It has a lot of domains pointing to it so it is probably a virtual host.

  11. 回声on 21 Feb 2008 at 4:52 pm

    true, but the explanation doesn’t fix heike’s commentary links for articles 56 and 57 /wink

  12. jumperon 21 Feb 2008 at 5:16 pm

    I’m not sure what you mean. There isn’t an article 56 and there is only one link in 57 and it seems to be correct.

  13. Heikeon 21 Feb 2008 at 6:37 pm


    What are you talking about? I checked the articles too and didn’t find any problems. Did you accidently post the wrong article numbers?

  14. 回声on 23 Feb 2008 at 2:47 pm

    # Heikeon 08 Dec 2007 at 11:35 pm

    First, you are a research animal. Second, hate to ask you for favor number gazillon, but if you have some free-time could you look at his post at and They are divided about 50/50 between Chinese and Computerese, so I just gave up on trying to translate them. They may or may not be important but I bow to your expertise to determine that. Anytime a Chinese hacker talks about attacking a US website it peaks my interest.

  15. jumperon 24 Feb 2008 at 1:40 am

    I see. The links to mghacker are broken. No cache or wayback either.

  16. 回声on 24 Feb 2008 at 9:30 pm

    dun heer, g’lux yew 2 70345 546 5196 58 886 888 5555 8585

  17. Lee Kegangon 25 Feb 2008 at 2:18 pm

    THis is some crazy stuff! What ever happened to Rose and the NCPH? Anybody here anything from them once they “disappeared” offline?

  18. jumperon 25 Feb 2008 at 4:18 pm

    @Lee Kegang

    We don’t know. I was just searching around looking for them recently and couldn’t find anything that indicated why they aren’t around anymore.

    My guess is that they are being careful after the Time article.

  19. Heikeon 25 Feb 2008 at 4:30 pm


    Had the same luck as Jumper. Did everything I could to locate him or the group but no luck. May have something fun/interesting about his name later today.

  20. jumperon 25 Feb 2008 at 6:10 pm


    What interesting thing about his name? That mg really stands for 美国? :)

  21. Heikeon 25 Feb 2008 at 6:52 pm

    Heh…would it be wrong of me to go with your suggestion? Mine is not half that interesting.

    Probably can’t! Someone who speaks Chinese might call me out on it if I simply link to a sports article and claim that’s what it says…sigh. :)

  22. Lee Kegangon 26 Feb 2008 at 7:27 am

    Thanks for looking. I find it absolutely mezmerizing the stuff that groups like NCPH do.

    I tried looking at that idefense report, but apparently it was only for clients of idefense – what a tease!

  23. Heikeon 26 Feb 2008 at 4:53 pm


    No problem, I wish I could find the guy. Sure he will turn up somewhere.

  24. [...] Of course the most famous Chinese hacker Rose, the Withered. [...]

  25. Lee Kegangon 27 Feb 2008 at 7:28 am

    Did anyone read the iDefense report written on the NCPH?

  26. jumperon 27 Feb 2008 at 8:11 am

    There are two videos and a powerpoint from iDefense on NCPH. Both are pretty informative. I think you just have to fill out a customer contact form and then you can download them. Then you’ll probably get a sales call from them.

  27. Lee Kegangon 27 Feb 2008 at 10:48 am

    Thanks Jumper! was just wondering if anyone had a copy handy.

  28. Whiteon 18 Apr 2008 at 2:27 am

    :P I dun have prv: website… I’m chinese but my hometown is Yangon from Myanmar Country…I live in yangon… I’m 17yrs old guy… :P I want to be hacker…I wanna friendship with Brother Tan … what should i prepare to become great hacker?
    i wanna learn to become hacker, can u plz teach me? If can u mind me as a borther ? bro replay mi mail

  29. Heikeon 18 Apr 2008 at 4:44 am

    Just for you my friend, do not tell anyone:

    Super secret hacker knowledge

  30. [...] reported on Withered Rose here and here.  Time Magazine has more on him [...]