WebSocket shards for investigation
Opened this issue · 0 comments
hackcasual commented
Reviewing the coinhive js, it lists WebSocket hosts that agents use for getting and reporting jobs. Since the agents send the siteId directly, it's possible to gather information on the siteIds used where the coinhive js is embedded directly
WEBSOCKET_SHARDS: [
["wss://ws001.coinhive.com/proxy", "wss://ws002.coinhive.com/proxy", "wss://ws003.coinhive.com/proxy", "wss://ws004.coinhive.com/proxy", "wss://ws005.coinhive.com/proxy", "wss://ws006.coinhive.com/proxy", "wss://ws007.coinhive.com/proxy", "wss://ws008.coinhive.com/proxy"],
["wss://ws009.coinhive.com/proxy", "wss://ws010.coinhive.com/proxy", "wss://ws011.coinhive.com/proxy", "wss://ws012.coinhive.com/proxy", "wss://ws013.coinhive.com/proxy", "wss://ws014.coinhive.com/proxy", "wss://ws015.coinhive.com/proxy", "wss://ws016.coinhive.com/proxy"],
["wss://ws017.coinhive.com/proxy", "wss://ws018.coinhive.com/proxy", "wss://ws019.coinhive.com/proxy", "wss://ws020.coinhive.com/proxy", "wss://ws021.coinhive.com/proxy", "wss://ws022.coinhive.com/proxy", "wss://ws023.coinhive.com/proxy", "wss://ws024.coinhive.com/proxy"],
["wss://ws025.coinhive.com/proxy", "wss://ws026.coinhive.com/proxy", "wss://ws027.coinhive.com/proxy", "wss://ws028.coinhive.com/proxy", "wss://ws029.coinhive.com/proxy", "wss://ws030.coinhive.com/proxy", "wss://ws031.coinhive.com/proxy", "wss://ws032.coinhive.com/proxy"]```
It might be useful to see if those are still hit, and what site ids are reported