That affected miners were showing the unexpected ip address on their status screens suggests an attack other than dns hijack, as mining software (such as cgminer) that usually displays a server name instead of its resolved address, would continue showing a server name, but the underlying network transport would resolve that server name to a different ip address.
sgminer and cgminer-37.3 (k) display pool names from their config files even when you set url to hard ://ip did someone changed configs during the "thing" to point miners to ://ip instead of name of the server? or may be to other pool and it went ok? what platform did miners who suffered used? bamt(what version and miner) or win cg or sg or cg-k? and what does edumacate mean?
and, considering scrypt asic situation right now, i would invest some $ in this kind of uberswitcherfacetoassbassin (the one, switching dns servers instead of coins)