What is the equivalent for a bat file? (don't use config)

Guys, Did you see my message I am using Kalroth 3.7.3 and all I changed from Sgminer 4.1.0 is From -i 20   To --xintensity 500 <
...
For some stupid reason all i was seeing is probing for alive pool, Yes I do have Failover set, not sure if the commands are like sgminer like I said the Batch file was exactly like cgminer I deleted the Config.cf as I was only using a Batch file...
...
So All I have is cgminer.exe -o stratum Bla bla bla -u afkhs;dfjhfg;ksfjghs -p x --xintensity 500 -g 1 -w 256 etc etc you get the point I hope....

I tried Middlecoin , Waffle, Multipool, Clevermining and they all said probing for alive pool....

Do we have a thread with full details on everyone who has been affected?  All software installed and versions, OS, patches, windows updates on/off, last time any configuration was modified, router, ISP, location, etc?

Do we have any way to reproduce this?  Does anyone with logging enabled have a record of the request?  Is it happening frequently enough to run a network monitor?  Do we know what coin is being maliciously mined?

On the other hand the router idea isn't that likely. I am googling these two IPs (today's and yesterday's where users of Wafflepool and Multipool were redirected) and I find only coin-switching pool threads (I limit search to last 7 days only to filter out junk).

Are any of affected users using any mining-related software on anything other than their rigs and their main computer? Maybe an Android phone and some 3rd party app showing your mining stats?

Your main computer is not likely infected, as you would have your coins stolen too. I would look for something nearby, within the same local network (a smartphone fits perfectly) and something what is related to coin-switching pools (a 3rd party mining stats, a 3rd party rigs monitoring software which you found in some coin-switching thread/subreddit/community, etc). Just wild guessing based on what's known about the problem.

There's not much I can do other than disable the reconnect code, which several individuals already have done.
I'll do a quick update of my github and binaries soon enough.

From a quick glance, it looks like someone found a way to send a spoofed* JSON packet to stratum pools, which makes the pool send a redirect request to (some of?) its clients.
It does not look like it's a bug in the client software, merely an unfortunate feature.

* http://en.wikipedia.org/wiki/IP_address_spoofing

And you had the issue happen to you?

I tried to do a traceroute on the ip and it times out after a couple hops from my isp to max of 30 hops ...

anybody do a whois on it?  I don't know command on winblowz.  Suppose I could fire up LMDE in a Virtualbox and try ...

I cannot help but wonder that if it is a true man in the middle attack, then why would he even bother allowing miners to initiate and authorize a stratum connection to the intended pool server in the first place, instead of just rewriting the destination headers in the incoming tcp packets from the clients to include the desired server ip address and tcp port within the incoming packets themselves, as he would be also able to rewrite source headers withing the return traffic?  By doing that, the miners would still see wafflepool listed on their cgminer display, as opposed to the rogue server ip address.  This could suggest that he is only able to inspect the traffic but not rewrite it, so therefore tcp packets with forged source headers are being sent to miners because he is not relaying traffic but only inspecting it.

Though in support of a true man in the middle attack, for a day or two you had been searching for a reason why miners were not receiving work from the servers quickly enough, such that some miners (specifically cudaminers) we going idle.  At that point he might have still been setting up shop but not yet begun his attack.

Things it could still be:
1) Miner malware.  It hits too many different configurations (OS's, miner versions, etc) to be in the miner itself.  Perhaps a bad wallet or something, but to accomplish what they're doing, it would need to be injecting packets into your TCP stack, which while possible, is unlikely.

What we think it is:
Our best guess at the current time is a MITM attack somewhere on the internet.