I spent the better part of the day investigating this issue.
- It's not a pool side hack - No pool servers are or were compromised
- It's not a pool-side close network hack - No datacenter infrastructure is compromised
- It only affects certain clients, is not pool wide, and affects affected clients repeatedly
Presumably there is some issue with some client side routing hardware that is being exploited. Anyone effected, please post how your connected to the net. PC->Router->Cable Modem, etc, with makes/models of such so we can possibly narrow this down.
#1
2 S1's behind an old linksys running DD-WRT (V24-sp2)
Our own IP space (Juniper running BGP)
#2
1 S1 running behind a TRENDnet TW100-BRV214
However a few Technobits running on a TL-MR3020 pointing to BTC were not hit
On cable
#3
S1 and a generic Avalon behind a ZuniConnect router pointing to GHash were hit.
On cable.
-Dave