Are there any instances where /ip ssh set forwarding-enabled=remote would be set automatically? I.e. firmware update etc
I’m seeing this has been turned on for some routers. I’m thinking they may be compromised and this is being used as an attack mechanism
Yes, it has come up a couple of times, see http://forum.mikrotik.com/t/v6-44-5-long-term-is-released/131452/60 and http://forum.mikrotik.com/t/ssh-forwarding-after-upgrade-to-6-44-or-higher/131791/2
Previous versions of RouterOS had SSH port forwarding enabled and no mechanism to disable it.