After installing Raritans (Oculan) CC-NOC 2500N (an SNMP network/system monitoring appliance), I received SNMP notifications that various windows systems were changing their IP addresses from a LAN IP (10.1.x.x) to a public IP (220.127.116.11). After an unpredictable amount of time (days to weeks), notifications were received that the IP address of the systems had changed back to their original LAN IP address.
I have blocked incoming and outgoing traffic at my firewall to 18.104.22.168.
I've also used independent SNMP MIB walkers on "affected" machines but did not show any reference to the public IP (22.214.171.124). I've also run Symantec Antivirus 10.0 corporate edition and Webroot Spysweeper against the reported machines.
1. Does this behavior sound familiar to anyone?
2. In order to determine if there is indeed something going on with my windows machines, or if there may be a "bug" with the Raritan equipment, are there any additional techniques I can use to rule out the windows systems?
3. If this behavior is infact an indication that it's a virus/spyware, what is it, and how can I remove it?
Let me know if there's any information I can provide to help resolve this problem.