Hi,
This morning I realized right away something was wrong because Brave browser could not access the Internet. It told me to check my proxy settings.
“Weird” I thought, because I have never used those settings. Sure enough, they had been manually changed to ALL_PROXY=socks://127.0.0.1:8888.
Nothing is listening on 127.0.0.1:8888, but there is a host on my network listening on ports 8888 and 8080 with both services bookmarked in Firefox.
In the GUI, http proxy is now set to 8080.
Update: My computer (Ubuntu 22.04/Jammy) is still affected by the bug that disables Wayland display server protocol even though a fix has been released. Is yours too? Interestingly, it makes it easier for someone to spy on my screen.
You need to improve your reading comprehension or be more honest. I did not blame Mikrotik. Don’t make false accusations. Also, the proxy settings were changed at the system level, not the browser.
Check if your PC is compromised
I don’t know how, but thanks for the tip I guess.
The possibility that the Mikrotik website or their device could be compromised is not something out of science fiction. Insinuating otherwise and trying to shame me for reporting this incident makes you look foolish at best and malicious at worst.
I would agree that I have encountered quite a bit of weird bugs lately but does that make ME weird? Again, some questionable people would say yes.
But since you were stating your problem on Mikrotik forum, it certainly did seem so. And @kleshki simply voiced his doubts … yeah, he might have used different (many more) words while doing it, but so could you word your observation otherwise and/or elsewhere.
Now to your question: some antivirus software try to (or pretend to) defend against web-based exploits. And the best way of doing it is to scan the web page contents before being delivered to browser. And the only “transparent” way of doing it is to use proxy and let proxy software do the scanning (which doesn’t really work for encrypted contents, even proxy doesn’t see contents unencrypted). So I guess that those antivirus software install a proxy service and redirect (on system level) all web requests through it.
So a question: what kind of anti virus software are you running on your computers?
Another possibility is a bad one: your computer got infected by some malware and that malware is acting as a proxy … trying to snoop some sensitive data from you (not sure if that’s the best way of doing it since it’s very much detectable as you proved yourself … as the malware would be running on the very same machine, it could snoop communications without explicitly acting as proxy). Or something equally bad.
Maybe you installed some popup blocker and ad blocker, that uses the proxy approach.
Or even some vpn apps like tor ?
Or like mkx says it’s some antivirus app.
I think I was cautious with my wording. I said I asked elsewhere too. Although strange, there’s the obvious connection with what I was reading on the Mikrotik website so I thought it was appropriate/interesting to share. I clearly said it was a coincidence at this point. Can we put the argument to rest now?
what kind of anti virus software are you running on your computers?
None.
sudo netstat -ntlp | grep 8888
The output of netstat command should show you name of process listening on port 8888 … and that should give you a hint as to what’s going on.
I use netstat regularly. Like I said, nothing is listenning on port 8888 or 8080 on my computer.
No VPN or Tor except I tested Tailscale in a virtual machine. I’m aware Brave browser lets you connect to Tor addresses.
I have the Ublock Origin extension installed in Firefox. I also have LibRedirect, KeypassXC-Browser, Privacy Badger and Web Archives. All of them “could read the content of any web page you visit”, but none of them can read my bookmarks. I thought Firefox was running as a sanboxed Snap package but it’s not.
All DNS requests are redirected about equally between Pi-Hole and Adguard. Adguard reports no malware domain blocked and I don’t see anything suspicious on the Pi-Hole dashboard.
Edit: I also use FireHOL and other IP block lists on the edge router. No outbound connection attempt was blocked.
