I am grasping at straws at this point, that is why i brought it up.
As for your scene you described. That scares the hell out of me. Up untill 4 days ago we had 7 servers way behind in updates, we still have no IDS and I have a boss that reamed me when I brought this stuff up.
That said, if I sniff the network for the offending IP address shouldnt I be able to see traffic from "both" systems using the IP? And if that is the case, tracking down the other system may be something to try.
Food for thought, thanks!