[POOL][Scrypt][Scrypt-N][X11] Profit switching pool - wafflepool.com

[comeonalready]

That affected miners were showing the unexpected ip address on their status screens suggests an attack other than dns hijack, as mining software (such as cgminer) that usually displays a server name instead of its resolved address, would continue showing a server name, but the underlying network transport would resolve that server name to a different ip address.

sgminer and cgminer-37.3 (k) display pool names from their config files even when you set url to hard ://ip did someone changed configs during the "thing" to point miners to ://ip instead of name of the server? or may be to other pool and it went ok? what platform did miners who suffered used? bamt(what version and miner) or win cg or sg or cg-k? and what does edumacate mean?
and, considering scrypt asic situation right now, i would invest some $ in this kind of uberswitcherfacetoassbassin (the one, switching dns servers instead of coins)

As I have not tested the "poolname" feature and now the "name" feature in sgminer and kalroth cgminer, I can only make an assumption as to how it would behave in such a case, and I believe that I have already expressed my opinion on basing conclusions upon assumptions.  And as I am not interested in testing it nor examining the code for others who will almost certainly not appreciate my efforts, some one else will have to do it if they want the answer.  So whether the "poolname" display would stick in sgminer or kalroth cgminer after a client.reconnect command is processed is anyone's guess at this point.

[1714243041]

1714243041

[1714243041]

1714243041

[1714243041]

1714243041

[1714243041]

1714243041

[1714243041]

1714243041

[utahjohn]

@PW got this from multipool.us

Mar 22 4:22 PM It appears there is some kind of malware diverting some users' hashpower to 206.223.224.225. This is not a multipool pool server. If you are seeing this, please report it as well as what miner you are using, where you obtained it, and check your computer for malware.

It appears that waffle is not the only multipool under attack!

[dogechode]

@PW got this from multipool.us

Mar 22 4:22 PM It appears there is some kind of malware diverting some users' hashpower to 206.223.224.225. This is not a multipool pool server. If you are seeing this, please report it as well as what miner you are using, where you obtained it, and check your computer for malware.

It appears that waffle is not the only multipool under attack!

how would people check for this?

[utahjohn]

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator>nslookup uswest.wafflepool.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    uswest.wafflepool.com
Address:  192.241.211.125


C:\Users\Administrator>tracert uswest.wafflepool.com

Tracing route to uswest.wafflepool.com [192.241.211.125]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  modem.Home [10.42.0.1]
  2    35 ms    32 ms    24 ms  67.41.239.68
  3    46 ms    42 ms    43 ms  67-41-234-25.slkc.qwest.net [67.41.234.25]
  4   212 ms    67 ms    54 ms  snj-edge-03.inet.qwest.net [67.14.34.54]
  5    41 ms    38 ms    38 ms  65.113.42.118
  6    76 ms    71 ms    48 ms  ae0-110g.cr1.sjc1.us.nlayer.net [69.22.143.117]

  7   105 ms   113 ms     *     ae1-70g.cr1.pao1.us.nlayer.net [69.22.143.166]
  8    68 ms    45 ms    50 ms  ae1-80g.cr1.sfo1.us.nlayer.net [69.22.143.169]
  9     *       74 ms    74 ms  as14061.ae5-401.cr1.sfo1.us.nlayer.net [69.22.13
0.38]
 10    65 ms    63 ms    82 ms  198.199.99.242
 11    44 ms    55 ms    41 ms  192.241.211.125

Trace complete.

C:\Users\Administrator>

[utahjohn]

@PW found this related to 206.223.224.225

https://github.com/potcoin/potcoin-seeder/blob/master/main.cpp

[comeonalready]

My cgminer started falling back to a backup pool and no longer connecting to the Waffle EU server. I see in my firewall logs that it tries to connect to 206.223.224.225:3009. Is that address related to Wafflepool and how so? It shows on whois lookup as a residential cable in Montreal, Canada. If I restart the cgminer it connects to Waffle EU normally but the same thing happens after a while.

Take notice that Meeho captured both the unexpected ip address and TCP PORT to which cgminer was attempting to connect, thereby further ruling out the possibility of a dns hijack, as dns maps host names to ip addresses only, and applications themselves handle port assignments.

The change of tcp port can only occur as a result of having received a client.reconnect command message from the stratum server, or a spoof thereof -- or the existence of other malware present on the affected mining computers themselves.  Dns hijacking can not possibly explain the cause of a miner process attempting to connect to a pool stratum server on a different tcp port.

Furthermore, as wafflepool servers had previously been experiencing a mysterious underreporting of miner hashrates, which was identified mostly by cudaminers hearing their gpu fans spin down as cudaminer was sitting idle waiting for more work to be sent from the wafflepool stratum server, that means cgminer with configured backup servers which by default will leak work to backup servers in the case of an underperforming active server, might even have received a client.reconnect command message from a stratum server other than wafflepool stratum server, as it could possibly have originated from a simultaneously active backup stratum server.  So those possible sources are too in play.


From ckolivas cgminer 3.7.2 readme:

Options for both config file and command line:

--failover-only     Don't leak work to backup pools when primary pool is lagging

Q: Work keeps going to my backup pool even though my primary pool hasn't
failed?

A: Cgminer checks for conditions where the primary pool is lagging and will
pass some work to the backup servers under those conditions. The reason for
doing this is to try its absolute best to keep the GPUs working on something
useful and not risk idle periods. You can disable this behaviour with the
option --failover-only.

[GAW Miners]

What is strange with my Hosted GridSpeed connected to Waffle East is my hash rate shows 0 but my Earned and unconverted keeps growing???  What the heck??

why dont you ask gridseed manages? 98.8% of people in here do not like your kind as much as thier first hangover.

I have.. But if its a Pool issue its not their issue..

And yea I could see how people would not like me considering I am getting Free hosting including free electricity and Internet..

I dont care what people like or dont like..

Is this some sort of gridseed deal or are you just able to stick them into a works server room?
Thanks
Miles

I dont work for them and dont want to get flamed by all the silly noobs on this site.

But it is GAWMiners     Look them up if you want. They have been offering free hosting..   I got a 20 pack yesterday during the day, and was up and hashing last night

Why would anyone spend $2000 on 3000-3400MH/s of scrypt mining power when it will take over 200 days to recoup the hardware cost at today's script coin values -- even with free electricity thrown in on the deal?  The writing is on the wall.  The profitability of scrypt mining is on the decline.  It will take much longer than 200 days to pay for that hardware, if you ever do.  At some point gaw will just decide to ship that equipment to you for free in order to remain profitable themselves.  Miners using GPUs will be able to switch to another algorithm to keep going for a little longer. but those gridseeds only become nice decorations.

The many mining booms in history (gold, silver, uranium, whatever) have shown that it is the suppliers to miners that earn the most profits from the boom.  And in the case of cryptocoin mining, the electricity companies too!

Yes..  I was told this same thing when I got into GPU mining in Mid 2013..  Go figure..  

I believe at the worst case, I will recoup..   But things change, pools evolve and I do believe some folks have been saying GPU mining has been dead since.. Oh lets see, early 2013???

So the ghost of profits past are coercing you invest more heavily in mining even as scrypt cryptocoin values are steadily decreasing?  Obviously I cannot know the future, but neither can you.  And if any of the profits you earned were from mining and holding, then those profits were actually from market speculation, and you might possibly have earned the same or more by simply buying cryptocoins instead of mining them and waiting for them to rise in value.  

I never buy and hold.. IMO, that is one of the dumbest strategies..  But LOTS of people seem to believe in it..  Most of my profits have been made using a trading bot.. Buy low sell High.. Over and Over and Over again and while I sleep..   I know a lot of people still holding, when my bot sold at $1200    But I will admit I hit the timing just right when BTC went to $1400 last Nov..   But still  I am WAY ahead of the game with the profits I have made so far..

So admittedly, most of your profits originate from successful trading strategies, so any investment in mining hardware is a more akin to buying a lottery ticket, as you will almost certainly lose, but you might just hit it big.  Given your past successes, you should likely concentrate your efforts in trading, and not dilute your focus with mining.

My Mining Feeds my Trading Balance..   I have been doing just fine but thanks for your insight..   As my Grandma use it say.. Opinions are like ass holes..  Everyone has one...

2000USD converted into cryptocoins would also have fed your trading balance quite well.  My only point is this.  With 3000-3400KH/s of gridseed hardware, you are guaranteed a 0% rate of return on your investment until you recoup hardware costs, perhaps in 200+ days, give or take.  And then you will be in pure profit territory, if gaw continues to pay for your 72KWh consumed every month.  But with a profitable trading strategy, you are losing out on immediate returns on $2000 otherwise allocated to gridseed hardware, and while each individual trading profit might be small, the cumulative effects of compounding might make that gridseed investment a losing proposition.  It is your money and your risk and certainly entitled to choose any route you wish.  I am just trying to collect as much information as I can and analyze all possibilities.

No Problem.. You make some good points.. All of which I already considered..   I just get a kick out of every time I see a post of "Doom and Gloom GPU and Alt Coins is dead".  If I had a nickle each time I heard this, I would have made more from my nickles then my BTC profits..  I work in IT,since 1988,  They were saying in 1988 Mainframes are dead and Programmers are dead and will no longer be needed..   2014 and I am still waiting..  

Hi,

We wanted to provide some clarity about our hosting.

GAW Inc owns a family of technology companies, including a national ISP. We own collocations all over the country. So power and hosting is a sunk cost to us. Our other technology divisions make up 95% of our revenues.  

So all customers that receive our hosting, bandwidth and electricity will continue to remain free. We enjoy bringing new things to the market. And plan to provide free hosting and power for more products. We even have a free btc hosted/electric solution we are working on

Thanks for your time

[comeonalready]

Hi,

We wanted to provide some clarity about our hosting.

GAW Inc owns a family of technology companies, including a national ISP. We own collocations all over the country. So power and hosting is a sunk cost to us. Our other technology divisions make up 95% of our revenues.  

So all customers that receive our hosting will continue to remain free. We enjoy bringing new things to the market. And plan to provide free hosting and power for more products. We even have a free btc hosted/electric solution we are working on

Thanks for your time

Perhaps I naturally look too deeply, but I happened to notice that while you did promise 'free hosting' in the sentence I marked in bold above, you neglected to include the word 'electricity', except when mentioning your plans, which I assume are always subject to change.  Would you care to clarify, and if I were to purchase equipment from you, then would provisions for hosting services and free electricity in perpetuity be included in a legally binding contract?

[insz]

My cgminer started falling back to a backup pool and no longer connecting to the Waffle EU server. I see in my firewall logs that it tries to connect to 206.223.224.225:3009. Is that address related to Wafflepool and how so? It shows on whois lookup as a residential cable in Montreal, Canada. If I restart the cgminer it connects to Waffle EU normally but the same thing happens after a while.

Take notice that Meeho captured both the unexpected ip address and TCP PORT to which cgminer was attempting to connect, thereby further ruling out the possibility of a dns hijack, as dns maps host names to ip addresses only, and applications themselves handle port assignments.

The change of tcp port can only occur as a result of having received a client.reconnect command message from the stratum server, or a spoof thereof -- or the existence of other malware present on the mining computers themselves.  Dns hijacking can not possibly explain the cause of a miner process attempting to connect to a pool stratum server on a different tcp port.

Furthermore, as wafflepool servers had previously been experiencing a mysterious underreporting of miner hashrates, which was identified mostly by cudaminers hearing their gpu fans spin down as cudaminer was waiting for more work to be sent from the wafflepool stratum server, that means cgminer with configured backup servers which by default will leak work to backup servers in the case of an underperforming active server, might even have received a client.reconnect command message from a stratum server other than wafflepool stratum server, as it could possibly have originated from a backup stratum server.  So those possible sources are too in play.


From ckolivas cgminer 3.7.2 readme:

Options for both config file and command line:

--failover-only     Don't leak work to backup pools when primary pool is lagging

Q: Work keeps going to my backup pool even though my primary pool hasn't
failed?

A: Cgminer checks for conditions where the primary pool is lagging and will
pass some work to the backup servers under those conditions. The reason for
doing this is to try its absolute best to keep the GPUs working on something
useful and not risk idle periods. You can disable this behaviour with the
option --failover-only.

I was going to say that I also use Google DNS and saw this happen to me, but that's a good point regarding the port change. Do you know if only active pools can trigger this? I had my miner configured for four pools, two of which are disabled, and two were set with a quota. Unfortunately I don't have any logs from the event.

Does anyone else who had this happen connect to multiple pools?

Randomly, a day or two before this started up, I read some old forum posts between slush and another op arguing over how to move forward with stratum and why you would ever need a command to redirect miners to other servers while looking for ways to improve my solo mining tests...

[GAW Miners]

Hi,

We wanted to provide some clarity about our hosting.

GAW Inc owns a family of technology companies, including a national ISP. We own collocations all over the country. So power and hosting is a sunk cost to us. Our other technology divisions make up 95% of our revenues.  

So all customers that receive our hosting, bandwidth, and electricity will continue to remain free. We enjoy bringing new things to the market. And plan to provide free hosting and power for more products. We even have a free btc hosted/electric solution we are working on

Thanks for your time

Perhaps I naturally look too deeply, but I happened to notice that while you did promise 'free hosting' in the sentence I marked in bold above, you neglected to include the word 'electricity', except when mentioning your plans, which I assume are always subject to change.  Would you care to clarify, and if I were to purchase equipment from you, then would provisions for hosting services and free electricity in perpetuity be included in a legally binding contract?

There sorry about that

[comeonalready]

My cgminer started falling back to a backup pool and no longer connecting to the Waffle EU server. I see in my firewall logs that it tries to connect to 206.223.224.225:3009. Is that address related to Wafflepool and how so? It shows on whois lookup as a residential cable in Montreal, Canada. If I restart the cgminer it connects to Waffle EU normally but the same thing happens after a while.

Take notice that Meeho captured both the unexpected ip address and TCP PORT to which cgminer was attempting to connect, thereby further ruling out the possibility of a dns hijack, as dns maps host names to ip addresses only, and applications themselves handle port assignments.

The change of tcp port can only occur as a result of having received a client.reconnect command message from the stratum server, or a spoof thereof -- or the existence of other malware present on the mining computers themselves.  Dns hijacking can not possibly explain the cause of a miner process attempting to connect to a pool stratum server on a different tcp port.

Furthermore, as wafflepool servers had previously been experiencing a mysterious underreporting of miner hashrates, which was identified mostly by cudaminers hearing their gpu fans spin down as cudaminer was waiting for more work to be sent from the wafflepool stratum server, that means cgminer with configured backup servers which by default will leak work to backup servers in the case of an underperforming active server, might even have received a client.reconnect command message from a stratum server other than wafflepool stratum server, as it could possibly have originated from a backup stratum server.  So those possible sources are too in play.


From ckolivas cgminer 3.7.2 readme:

Options for both config file and command line:

--failover-only     Don't leak work to backup pools when primary pool is lagging

Q: Work keeps going to my backup pool even though my primary pool hasn't
failed?

A: Cgminer checks for conditions where the primary pool is lagging and will
pass some work to the backup servers under those conditions. The reason for
doing this is to try its absolute best to keep the GPUs working on something
useful and not risk idle periods. You can disable this behaviour with the
option --failover-only.

I was going to say that I also use Google DNS and saw this happen to me, but that's a good point regarding the port change. Do you know if only active pools can trigger this? I had my miner configured for four pools, two of which are disabled, and two were set with a quota. Unfortunately I don't have any logs from the event.

Does anyone else who had this happen connect to multiple pools?

Randomly, a day or two before this started up, I read some old forum posts between slush and another op arguing over how to move forward with stratum and why you would ever need a command to redirect miners to other servers while looking for ways to improve my solo mining tests...

From what I understand, the client.reconnect command was included to seamlessly move miners over to another pool stratum server in preparation for maintenance on the originally active server.  As to whether a backup stratum server could trigger cgminer to suspend all active stratum server connections, I really cannot provide a firm answer.  It would make sense that a client.reconnect command message should only suspend one active stratum connection (the one on which it arrived), but there always exists the possibility of other unforeseen behavior within the implementation of the code.  Either way, the dns hijacking theory is discounted by the tcp port having been changed too, and perhaps the local miner malware possibility is much more likely.  But in order to find out which, we must all stop placing blame on dns hijacking ghosts.

Update:  I misread your question.  Yes a stratum connection must be active in order for a miner to receive a client.reconnect command message, and only the miner side can initiate a stratum connection.  In your case using quotas (as per your description), you would have active connections to a minimum of two stratum servers.  But even without using quotas, cgminer will connect to backup servers IF the active server cannot provide work at a rate fast enough to keep the GPUs fully utilized. (unless the failover-only option is specified on the command line or in the configuration file.)

Another update:  I've realized that technically speaking, a dns hijack could still indeed be in play, followed by a client.reconnect message from a rogue stratum server in order to change the tcp port, but that just seems awfully convoluted.  For if one were to hijack a dns server to redirect a miner to a different server on port 3333, why would they they redirect again to port 3009?  -- unless they are using the technique to load balance stolen hashpower to multiple rogue servers, but then only one rogue ip address and tcp port combination has been reported here.  Has anyone observed any other rogue server ip addresses or tcp ports?

[comeonalready]

Hi,

We wanted to provide some clarity about our hosting.

GAW Inc owns a family of technology companies, including a national ISP. We own collocations all over the country. So power and hosting is a sunk cost to us. Our other technology divisions make up 95% of our revenues.  

So all customers that receive our hosting, bandwidth, and electricity will continue to remain free. We enjoy bringing new things to the market. And plan to provide free hosting and power for more products. We even have a free btc hosted/electric solution we are working on

Thanks for your time

Perhaps I naturally look too deeply, but I happened to notice that while you did promise 'free hosting' in the sentence I marked in bold above, you neglected to include the word 'electricity', except when mentioning your plans, which I assume are always subject to change.  Would you care to clarify, and if I were to purchase equipment from you, then would provisions for hosting services and free electricity in perpetuity be included in a legally binding contract?

There sorry about that

And a legally binding contract?  For without one you could simply change your mind at any time without penalty nor recourse for the buyer.  Having such provisions included on the bill of sale would probably be sufficient.

[GAW Miners]

Hi,

We wanted to provide some clarity about our hosting.

GAW Inc owns a family of technology companies, including a national ISP. We own collocations all over the country. So power and hosting is a sunk cost to us. Our other technology divisions make up 95% of our revenues.  

So all customers that receive our hosting, bandwidth, and electricity will continue to remain free. We enjoy bringing new things to the market. And plan to provide free hosting and power for more products. We even have a free btc hosted/electric solution we are working on

Thanks for your time

Perhaps I naturally look too deeply, but I happened to notice that while you did promise 'free hosting' in the sentence I marked in bold above, you neglected to include the word 'electricity', except when mentioning your plans, which I assume are always subject to change.  Would you care to clarify, and if I were to purchase equipment from you, then would provisions for hosting services and free electricity in perpetuity be included in a legally binding contract?

There sorry about that

And a legally binding contract?  For without one you could simply change your mind at any time without penalty nor recourse for the buyer.  Having such provisions included on the bill of sale would probably be sufficient.

Good suggestion, we will look in to implementing something like that with our TOS

[Zamboniman]

@PW got this from multipool.us

Mar 22 4:22 PM It appears there is some kind of malware diverting some users' hashpower to 206.223.224.225. This is not a multipool pool server. If you are seeing this, please report it as well as what miner you are using, where you obtained it, and check your computer for malware.

It appears that waffle is not the only multipool under attack!

how would people check for this?

Malware cannot explain what has happened.

I am running linux on each of my rigs. On those rigs running linux, there are several different distributions of linux. Linux is notoriously difficult to infect with malware. On those rigs, some are running sgminer, some cgminer 3.7.2 (original) and some kalroth's or other version of cgminer. One of my rigs is running cudaminer. Other people are running various versions of windows, or even Mac, with various miners.

I cannot imagine any malware that could possibly be written to affect multiple miners in multiple operating systems.

In my case, my security practices are very reliable.

When this happened to me, it happened simultaneously on all my rigs all running various OS's and all running different miners.

The symptoms are not indicative of client side malware. It is indicative of some kind of DNS or networking hijacking.

[comeonalready]

Hi,

We wanted to provide some clarity about our hosting.

GAW Inc owns a family of technology companies, including a national ISP. We own collocations all over the country. So power and hosting is a sunk cost to us. Our other technology divisions make up 95% of our revenues.  

So all customers that receive our hosting, bandwidth, and electricity will continue to remain free. We enjoy bringing new things to the market. And plan to provide free hosting and power for more products. We even have a free btc hosted/electric solution we are working on

Thanks for your time

Perhaps I naturally look too deeply, but I happened to notice that while you did promise 'free hosting' in the sentence I marked in bold above, you neglected to include the word 'electricity', except when mentioning your plans, which I assume are always subject to change.  Would you care to clarify, and if I were to purchase equipment from you, then would provisions for hosting services and free electricity in perpetuity be included in a legally binding contract?

There sorry about that

And a legally binding contract?  For without one you could simply change your mind at any time without penalty nor recourse for the buyer.  Having such provisions included on the bill of sale would probably be sufficient.

Good suggestion, we will look in to implementing something like that with our TOS

Now you're just yessing me in order to prevent me from casting any further doubt upon your intentions.  We live in an age where entities such as wireless service providers, cable television providers, financial service companies, hotels, and even internet hosting companies regularly redefine the meaning of 'unlimited' by appending a tiny asterisk next to it, and are continually adding more and more fees below the line over time in an effort make their stated prices look less expensive and more competitive than they really are.  If your offer of free hosting, including internet connectivity and electrical supply for purchased mining hardware is completely genuine, then stand behind your claims by incorporating it into your contracts instead of just 'looking into implementing something like that'.

[utahjohn]

Could be an infected source code for a miner or wallet which is compiled on each platform (windows, linux etc) ...

[Zamboniman]

Could be an infected source code for a miner or wallet which is compiled on each platform (windows, linux etc) ...

My rigs don't have wallets running on them.

Infected source code in all sgminer, cgmniner, bfgminer, and even Cudaminer? Code I've downloaded from github and compiled myself in each case?


Seems highly unlikely. Possible, but very unlikely.

[comeonalready]

@PW got this from multipool.us

Mar 22 4:22 PM It appears there is some kind of malware diverting some users' hashpower to 206.223.224.225. This is not a multipool pool server. If you are seeing this, please report it as well as what miner you are using, where you obtained it, and check your computer for malware.

It appears that waffle is not the only multipool under attack!

how would people check for this?

Malware cannot explain what has happened.

I am running linux on each of my rigs. On those rigs running linux, there are several different distributions of linux. Linux is notoriously difficult to infect with malware. On those rigs, some are running sgminer, some cgminer 3.7.2 (original) and some kalroth's or other version of cgminer. One of my rigs is running cudaminer. Other people are running various versions of windows, or even Mac, with various miners.

I cannot imagine any malware that could possibly be written to affect multiple miners in multiple operating systems.

In my case, my security practices are very reliable.

When this happened to me, it happened simultaneously on all my rigs all running various OS's and all running different miners.

The symptoms are not indicative of client side malware. It is indicative of some kind of DNS or networking hijacking.

Though one can easily download maliciously inserted code within 'trusted' linux software, I am generally inclined to agree that the miner-side malware possibility seems unlikely, but cannot as yet be completely ruled out.  

But as far as I know there has not been any effort to identify affected client side operating systems versions, miner versions, pool configurations including backups, failover-only settings, etc, to determine if there are any commonalities.  And from reading this thread, one cannot even determine how many people might have been affected!

Where is poolwaffle through all of this?  I'm one to support weekends off, but this problem is deserving of some attention as he has access to considerably more information than we do.

[Zamboniman]

@PW got this from multipool.us

Mar 22 4:22 PM It appears there is some kind of malware diverting some users' hashpower to 206.223.224.225. This is not a multipool pool server. If you are seeing this, please report it as well as what miner you are using, where you obtained it, and check your computer for malware.

It appears that waffle is not the only multipool under attack!

how would people check for this?

Malware cannot explain what has happened.

I am running linux on each of my rigs. On those rigs running linux, there are several different distributions of linux. Linux is notoriously difficult to infect with malware. On those rigs, some are running sgminer, some cgminer 3.7.2 (original) and some kalroth's or other version of cgminer. One of my rigs is running cudaminer. Other people are running various versions of windows, or even Mac, with various miners.

I cannot imagine any malware that could possibly be written to affect multiple miners in multiple operating systems.

In my case, my security practices are very reliable.

When this happened to me, it happened simultaneously on all my rigs all running various OS's and all running different miners.

The symptoms are not indicative of client side malware. It is indicative of some kind of DNS or networking hijacking.

Though one can easily download maliciously inserted code within 'trusted' linux software, I am generally inclined to agree that the miner-side malware possibility seems unlikely, but cannot as yet be completely ruled out.  

But as far as I know there has not been any effort to identify affected  client side operating systems versions, miner versions, pool configurations including backups, failover-only settings, etc, to determine if there are any commonalities.  And from reading this thread, one cannot even determine how many people might have been affected!

Agreed that it's possible to download malicious code in linux.

Given that I'm running various versions of cgminer, sgminer, bfgminer, and even cudaminer, all git pulled myself and compiled myself, this seems unlikely in the extreme. Possible, but very unlikely. The perpetrator would ave had to insert malicious working code in many different and seperate miners source codes, some completely incompatible with others, administered by many different people, and all able to function simultaneously.

Again, possible, but does not seem very plausible.

[comeonalready]

Could be an infected source code for a miner or wallet which is compiled on each platform (windows, linux etc) ...

My rigs don't have wallets running on them.

Infected source code in all sgminer, cgmniner, bfgminer, and even Cudaminer? Code I've downloaded from github and compiled myself in each case?

Seems highly unlikely. Possible, but very unlikely.

You seem to have a good sampling of configurations, so it seems like agood place to start.  Do you they all run on the same local area network?  If so, are they using private ip addresses with your router running network address transalation?  Are they dynamically assigned or manually entered into the configuration of each mining computer?