Ohh! now it makes way more sense!I think maybe I didn't state this entirely clearly.
vsThere was a version 6.42.5
It is confirmed that this was another case of hacked router due to a insecure firewall configuration in combination with old RouterOS version
/interface ethernet export
or
/interface ethernet poe export
/caps conf unset [find where name="somethingsomething"] datapath.local-forwarding