Community discussions

MikroTik App
 
User345135
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Thu Jun 06, 2024 9:21 pm

Ubuntu proxy settings changed itself to all_proxy=socks://127.0.0.1:8888 while reading about socks on Mikrotik website

Sun Sep 15, 2024 9:04 pm

Hi,
This morning I realized right away something was wrong because Brave browser could not access the Internet. It told me to check my proxy settings.
"Weird" I thought, because I have never used those settings. Sure enough, they had been manually changed to ALL_PROXY=socks://127.0.0.1:8888.
Nothing is listening on 127.0.0.1:8888, but there is a host on my network listening on ports 8888 and 8080 with both services bookmarked in Firefox.
In the GUI, http proxy is now set to 8080.

How did that happen or how can I find out?

I am asking here too because I coincidentally had the page help.mikrotik.com/docs/display/ROS/SOCKS opened in Firefox and you guys are very good at networking.
 
User345135
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Thu Jun 06, 2024 9:21 pm

Re: Ubuntu proxy settings changed itself to all_proxy=socks://127.0.0.1:8888 while reading about socks on Mikrotik websi

Mon Sep 16, 2024 11:23 pm

Update: My computer (Ubuntu 22.04/Jammy) is still affected by the bug that disables Wayland display server protocol even though a fix has been released. Is yours too? Interestingly, it makes it easier for someone to spy on my screen.

https://bugs.launchpad.net/ubuntu/+sour ... ug/1968929 (Nvidia) Fixed
https://bugs.launchpad.net/ubuntu/+sour ... ug/1969243 (Non-Nvidia) Fixed

Edit: Surprise! As it turns out, it's not really fixed: https://bugs.launchpad.net/ubuntu/+sour ... ug/2020249
 
kleshki
Member Candidate
Member Candidate
Posts: 285
Joined: Tue Mar 10, 2020 6:37 am

Re: Ubuntu proxy settings changed itself to all_proxy=socks://127.0.0.1:8888 while reading about socks on Mikrotik websi

Tue Sep 17, 2024 1:07 am

Blaming MikroTik for setting proxy properties in your browser in another stage of weirdness. Check if your PC is compromised
 
User345135
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Thu Jun 06, 2024 9:21 pm

Re: Ubuntu proxy settings changed itself to all_proxy=socks://127.0.0.1:8888 while reading about socks on Mikrotik websi

Tue Sep 17, 2024 3:32 am

Blaming MikroTik for setting proxy properties in your browser.
You need to improve your reading comprehension or be more honest. I did not blame Mikrotik. Don't make false accusations. Also, the proxy settings were changed at the system level, not the browser.
Check if your PC is compromised
I don't know how, but thanks for the tip I guess.

The possibility that the Mikrotik website or their device could be compromised is not something out of science fiction. Insinuating otherwise and trying to shame me for reporting this incident makes you look foolish at best and malicious at worst.

I would agree that I have encountered quite a bit of weird bugs lately but does that make ME weird? Again, some questionable people would say yes.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12828
Joined: Thu Mar 03, 2016 10:23 pm

Re: Ubuntu proxy settings changed itself to all_proxy=socks://127.0.0.1:8888 while reading about socks on Mikrotik websi

Tue Sep 17, 2024 8:38 am

Blaming MikroTik for setting proxy properties in your browser.
You need to improve your reading comprehension or be more honest. I did not blame Mikrotik.
But since you were stating your problem on Mikrotik forum, it certainly did seem so. And @kleshki simply voiced his doubts ... yeah, he might have used different (many more) words while doing it, but so could you word your observation otherwise and/or elsewhere.

Now to your question: some antivirus software try to (or pretend to) defend against web-based exploits. And the best way of doing it is to scan the web page contents before being delivered to browser. And the only "transparent" way of doing it is to use proxy and let proxy software do the scanning (which doesn't really work for encrypted contents, even proxy doesn't see contents unencrypted). So I guess that those antivirus software install a proxy service and redirect (on system level) all web requests through it.
So a question: what kind of anti virus software are you running on your computers?

Another possibility is a bad one: your computer got infected by some malware and that malware is acting as a proxy ... trying to snoop some sensitive data from you (not sure if that's the best way of doing it since it's very much detectable as you proved yourself ... as the malware would be running on the very same machine, it could snoop communications without explicitly acting as proxy). Or something equally bad.
 
User avatar
patrikg
Member
Member
Posts: 353
Joined: Thu Feb 07, 2013 6:38 pm
Location: Stockholm, Sweden

Re: Ubuntu proxy settings changed itself to all_proxy=socks://127.0.0.1:8888 while reading about socks on Mikrotik websi

Tue Sep 17, 2024 10:23 am

Maybe you installed some popup blocker and ad blocker, that uses the proxy approach.
Or even some vpn apps like tor ?
Or like mkx says it's some antivirus app.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12828
Joined: Thu Mar 03, 2016 10:23 pm

Re: Ubuntu proxy settings changed itself to all_proxy=socks://127.0.0.1:8888 while reading about socks on Mikrotik websi

Tue Sep 17, 2024 10:56 am

@User345135: since you're running ubunti, run
sudo netstat -ntlp | grep 8888

If you don't have netstat installed, install it using command
sudo apt install net-tools

The output of netstat command should show you name of process listening on port 8888 ... and that should give you a hint as to what's going on.
 
User avatar
patrikg
Member
Member
Posts: 353
Joined: Thu Feb 07, 2013 6:38 pm
Location: Stockholm, Sweden

Re: Ubuntu proxy settings changed itself to all_proxy=socks://127.0.0.1:8888 while reading about socks on Mikrotik websi

Tue Sep 17, 2024 6:51 pm

The new way of doing netstat is via command ss, so this can be done with:
sudo ss -tnlp
That
t=tcp.
n=don't do dns lookups.
l=only listening ports.
p=what program/process is open this port.
 
User345135
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Thu Jun 06, 2024 9:21 pm

Re: Ubuntu proxy settings changed itself to all_proxy=socks://127.0.0.1:8888 while reading about socks on Mikrotik websi

Tue Sep 17, 2024 11:35 pm

but so could you word your observation otherwise and/or elsewhere.
I think I was cautious with my wording. I said I asked elsewhere too. Although strange, there's the obvious connection with what I was reading on the Mikrotik website so I thought it was appropriate/interesting to share. I clearly said it was a coincidence at this point. Can we put the argument to rest now?
what kind of anti virus software are you running on your computers?
None.
sudo netstat -ntlp | grep 8888
The output of netstat command should show you name of process listening on port 8888 ... and that should give you a hint as to what's going on.
I use netstat regularly. Like I said, nothing is listenning on port 8888 or 8080 on my computer.
Maybe you installed some popup blocker and ad blocker, that uses the proxy approach.
Or even some vpn apps like tor ?
No VPN or Tor except I tested Tailscale in a virtual machine. I'm aware Brave browser lets you connect to Tor addresses.

I have the Ublock Origin extension installed in Firefox. I also have LibRedirect, KeypassXC-Browser, Privacy Badger and Web Archives. All of them "could read the content of any web page you visit", but none of them can read my bookmarks. I thought Firefox was running as a sanboxed Snap package but it's not.

All DNS requests are redirected about equally between Pi-Hole and Adguard. Adguard reports no malware domain blocked and I don't see anything suspicious on the Pi-Hole dashboard.
Edit: I also use FireHOL and other IP block lists on the edge router. No outbound connection attempt was blocked.

https://support.mozilla.org/en-US/kb/pe ... l-websites
Last edited by User345135 on Thu Sep 19, 2024 3:07 am, edited 3 times in total.
 
User345135
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Thu Jun 06, 2024 9:21 pm

Re: Ubuntu proxy settings changed itself to all_proxy=socks://127.0.0.1:8888 while reading about socks on Mikrotik websi

Wed Sep 18, 2024 4:49 am

Uh-oh, the Stasi is back.
Image

Who is online

Users browsing this forum: G7VEN and 46 guests