@PW got this from multipool.us
Mar 22 4:22 PM It appears there is some kind of malware diverting some users' hashpower to 206.223.224.225. This is not a multipool pool server. If you are seeing this, please report it as well as what miner you are using, where you obtained it, and check your computer for malware.
It appears that waffle is not the only multipool under attack!
how would people check for this?
Malware cannot explain what has happened.
I am running linux on each of my rigs. On those rigs running linux, there are several different distributions of linux. Linux is notoriously difficult to infect with malware. On those rigs, some are running sgminer, some cgminer 3.7.2 (original) and some kalroth's or other version of cgminer. One of my rigs is running cudaminer. Other people are running various versions of windows, or even Mac, with various miners.
I cannot imagine any malware that could possibly be written to affect multiple miners in multiple operating systems.
In my case, my security practices are very reliable.
When this happened to me, it happened simultaneously on all my rigs all running various OS's and all running different miners.
The symptoms are not indicative of client side malware. It is indicative of some kind of DNS or networking hijacking.