For those of you affected by the problem with detailed cgminer logs, (from cgminer/sgminer, not cgwatcher as it does not log such messages), may I suggest that you search for "reconnect requested" messages for any possible evidence of this method being used.
is it too late to scan open ports of whole interwebs to send switch command yet?
The client.reconnect command must originate from the pool stratum server itself or a tcp packet must be spoofed in order to make it look like it originated from the pool stratum server. In addition, the tcp packet sequence number must be within the proper expected range, and there is an additional stratum sequence counter that would need to be within the proper expected range as well. And as a successfully issued client.reconnect command would cause your miner to immediately disconnect from the active stratum server and initiate a stratum connection to another server specified within the message, wafflepool servers might only see a client disconnecting for no apparent reason.
In any case, even if a wafflepool server were infiltrated only so far as to obtain the list of active network connections containing ip addresses and source ports of miners, then such an attack would be possible. And barring infiltration of any wafflepool server itself, this information could potentially be collected upstream of wafflepool servers if another different piece of network hardware is compromised instead.
That affected miners were showing the unexpected ip address on their status screens suggests an attack other than dns hijack, as mining software (such as cgminer) that usually displays a server name instead of its resolved address, would continue showing a server name, but the underlying network transport would resolve that server name to a different ip address.