On the other hand the router idea isn't that likely. I am googling these two IPs (today's and yesterday's where users of Wafflepool and Multipool were redirected) and I find only coin-switching pool threads (I limit search to last 7 days only to filter out junk).

Are any of affected users using any mining-related software on anything other than their rigs and their main computer? Maybe an Android phone and some 3rd party app showing your mining stats?

Your main computer is not likely infected, as you would have your coins stolen too. I would look for something nearby, within the same local network (a smartphone fits perfectly) and something what is related to coin-switching pools (a 3rd party mining stats, a 3rd party rigs monitoring software which you found in some coin-switching thread/subreddit/community, etc). Just wild guessing based on what's known about the problem.

Also, it can be on your router which you use to connect to the network.

There was a really widespread vulnerability discovered a little over month ago which was affecting significant number of home routers: http://www.pcworld.com/article/2097903/asus-linksys-router-exploits-tell-us-home-networking-is-the-vulnerability-story-of-2014.html

It's hard to use to steal coins as all cryptocoin-related traffic is encrypted with the exception of mining. Maybe someone started using this vulnerability to hijack cryptocoin miners?

Anyone heard about this issue among users of non-multi-coin pools?

Yes, I've seen the log with redirect command (the log wasn't from CleverMining, it was on another pool). The redirect command didn't actually come from legitimate pool. The whole process looked like this:

1. Miner got disconnected from the pool (no idea if it was “natural” or caused by the attacker).
2. Miner reconnected to its pool but it didn't really connected to the pool this time, instead something hijacked this connection.
3. Just after miner authenticated at the pool (a fake one), it got the redirect command to reconnect to a different IP address.
4. Miner followed the command and connected to malicious pool.

The redirect command wasn't coming from the legitimate pool. Also, what's important - it wasn't injected into an existing connection between miner and legitimate pool. After disconnect miner tried to reconnect to legitimate pool but this reconnection was hijacked and the miner was redirected to malicious pool.

You are right that this is a form of Man In The Middle attack, but I think that MITM attack originates at user's place. Either on their mining rig or on some other host in the same local network. And if it's the case, then it's most likely done by some malicious software that the user downloaded.

Why I think that other places of attack (not close to the user) are unlikely? Affected users are geographically distributed all over the world - this is not some regional issue. Affected users were connect to different pools which are using different hosting providers - this is not an attack at the pool level. At the same time number of affected users is very tiny, which also points to a place of attack close to the user.

This is why I am suspecting some malicious software installed by the user.

For example, a new version of CGWatcher was released on Mar 21st, and the hijacking first started to happening at other multi-pools on Mar 22nd. A new version of a popular software is always a good moment to distribute maliciously modified version. I am not talking about CGWatcher authors, but someone else might modify the software and distribute modified version by submitting their own link to Reddit or some other mining related community.

I am also not telling that modified CGWatcher is responsible. This is just an example of a theoretical scenario how the attack might be performed. If you're affected, please think of what software did you download, when, where from, etc - basing on the example scenario above.

This is what's on 190.97.165.197:3333

http://pastebin.com/VRqgpDey

It autoupdates and adds new entries every so often. Seem to me that it's some sort of config that is redirecting the miners.

I noticed it too - all my miners got hijacked and redirected to 190.97.165.179.

I checked cgminer pool settings, and it listed my clevermining pool as alive.

I thought, perhaps just a glitch or something, surely 190.97.165.179 must belong to clevermining.

Who knows, maybe it does. All the whois info reveals servers in panama, registrant in belize and person living in moscow, with fake phone numbers etc.

These were on miners that were still set to us.clevermining ... so maybe that got hijacked. I manually set them to ny / sf and things appear to be ok for now.

New to this pool, left WPool cause of hijacking issues and low production numbers.  Using Cgminer with 1Mh/s been mining for just over 23 hours, miner stopped and reconnected to I.P. 190.97.165.179:3333 at 1024 worksize.  Can someone please lend some insight?  Is this normal behavior?

All info is appreciated but not overly computer literate and after reading the last 200 posts, you may need to dumb it down a few levels.(You know whom you are.)

Thanks