This site uses cookies. In order to read how we handle cookies please click here. Click on this message to accept and hide.
Go to top

Ledokol Ledokol 2.7.8

Changes in 2.7.8
Fixed: Missing translations on ban and unban
Fixed: Secondary right click menu item order
Fixed: Version numbers comparison on update
Fixed: VIP kick was not accessible with new style commands in Verlihub
Changed: VIP kicks are made with users nick instead of bot nick
Added: Basic vote kicks using +votekick <nick>, configured with votekickclass and votekickcount
Added: CTM protocol flood actions, 0 = drop, 1 = kick, 2 = temporary ban, 3 = permanent ban, request by KCAHDEP

File information: Ledokol 2.7.8
Posted by ledokol on 2014-04-08 17:50 0 comments 0 likes

HeXHub HeXHub 5.12

Changes in 5.12
- when fake share detection is enabled and a passive search result is sent with no path in it, the user is kicked
- new event for plugins: onBadSettings(userId,63) ("passive search result without file path")
- GeoIP information was updated with GeoIPCountryWhois.csv from February 5th

File information: HeXHub 5.12
Posted by hexhub on 2014-03-01 08:15 0 comments 3 likes

BitCoin Miners and DirectConnect Bots

Imagine, if you will, a new user who just heard about the DirectConnect network and downloaded a NMDC client (may that be DC++, StrongDC++, Greylink++ or other client). The client is started and the user clicks the "Public hublists" button. A new normal user, of course, would join the first few biggest hubs. A few file lists are downloaded and.. what's next? A search. A search for something Google can't find. What if there are no results from all hubs the new user is in ? Well.. there are! Search for any random string and you get at least one result from a bot that has a file named by your searched string which ends with ".exe"!


You can notice that there is no path for the shared executable file. An attempt to get a bot's file list will get your IP blocked and all further connection requests to it rejected. The bot can provide an .exe and that's it. Currently, its IP in all hubs is , and it can be reported to and to .

But, the big question is, what does the trojan do?

The trojan is a WinRAR self extracting archive that executes the following install script:

Setup=ncmd.exe exec hide "dep.bat"

The archive contains the following files:

02/20/2014  10:46 PM           248,980 32.rar
02/20/2014  10:46 PM           239,972 64.rar
02/20/2014  10:47 PM         1,382,636 at.rar
02/17/2014  11:24 PM               969 dep.bat
01/23/2014  07:16 PM                77 ms.vbs
08/11/2013  03:41 PM            44,032 ncmd.exe
02/20/2014  10:48 PM         2,836,268 nv.rar
12/01/2013  02:08 PM           306,776 svchost.exe
               8 File(s)      5,059,710 bytes

All the .rar archives are password protected. The password to extract files from them is 12345 . Each archive contains a coin mining tool (minerd 32/64, cgminer and CudaMiner). By default, they use the mining server from and they update the BitCoin wallet 1KGE8qgbR7mafVtvt2YsS5hYau9YLRXJx4 using the password x . Svchost.exe (306776 bytes) is the renamed command line RAR, ncmd.exe (44032 bytes) is the NirSoft command line utility that can hide the console, dep.bat (969 bytes) is the actual installer that extracts files from password protected archives to %APPDATA%\WinUpdate\, and ms.vbs (77 bytes) is a command line message box popup generator.

Set objArgs = WScript.Arguments
messageText = objArgs(0)
MsgBox messageText

Ms.vbs is used by dep.bat, after installing all the svchost.exe's and winlogon.exe's from the password protected archives to show a message box with the following string: "Error loading dll.".

If you are infected with this trojan, your overall system performance is decreased because your system resources are used to generate money for the trojan spreader.

How much money did this trojan make for its owner? You can check its infection stats here: (in case you need a password, you can use "x").

Do not download anything from these bots and use the +report command to report them to the operators that are online in the hubs you found them!
Posted by Vektor on 2014-02-28 23:18 1 comment 4 likes

Hub voting system

Finally I had some time to re-add good old hub voting system to hublist engine. The voting is made two ways, good votes and bad votes, it's up to you which to choose. Remember, you can only vote for a hub once a day and voting for banned hubs is forbidden. You should also know that all votes are logged using your IP address, and if we find out that you're trying to cheat by using different IP addresses, your hub will get banned. Good luck.
Posted by RoLex on 2014-01-28 22:08 0 comments 0 likes

Hublist registration server

We've done huge improvements on hublist registration server which is running on address Now it supports up to 1000 simultaneous registration requests. Here is how you add it to your hub:

!set hls server add

!set hublist_host
Posted by RoLex on 2014-01-15 13:45 0 comments 0 likes