I was a bit premature. More logs just came through.
(Edit)
1 Aug 25 08:11:13 kern alert attack kernel: IN=ppp1.3 OUT= MAC= SRC=45.148.121.28 DST=84.64.*. * LEN=432 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=5120 DPT=4399 LEN=412 MARK=0x10000000
# Time Facility Level Category Messages
1 Aug 25 04:48:47 kern alert attack kernel: IN=ppp1.3 OUT= MAC= SRC=45.143.220.66 DST=84.64.*. * LEN=441 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=5200 DPT=5080 LEN=421 MARK=0x10000000
2 Aug 25 04:48:47 kern alert attack kernel: IN=ppp1.3 OUT= MAC= SRC=45.143.220.66 DST=84.64.*. * LEN=439 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=5200 DPT=5070 LEN=419 MARK=0x10000000
3 Aug 25 02:07:35 kern alert attack kernel: IN=ppp1.3 OUT= MAC= SRC=87.251.75.124 DST=84.64.*. * LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=123 PROTO=TCP SPT=65533 DPT=3353 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10000000
4 Aug 25 02:07:35 kern alert attack kernel: IN=ppp1.3 OUT= MAC= SRC=87.251.75.124 DST=84.64.*. * LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=123 PROTO=TCP SPT=65533 DPT=3354 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10000000
5 Aug 25 02:07:35 kern alert attack kernel: IN=ppp1.3 OUT= MAC= SRC=87.251.75.124 DST=84.64.*. * LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=123 PROTO=TCP SPT=65533 DPT=3356 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10000000
6 Aug 25 02:07:35 kern alert attack kernel: IN=ppp1.3 OUT= MAC= SRC=87.251.75.124 DST=84.64.*.* LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=123 PROTO=TCP SPT=65533 DPT=3361 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10000000
7 Aug 25 02:07:35 kern alert attack kernel: IN=ppp1.3 OUT= MAC= SRC=87.251.75.124 DST=84.64.*.* LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=123 PROTO=TCP SPT=65533 DPT=3352 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10000000
(Edit) The first two attacks via
Port 5200 Details
known port assignments and vulnerabilities threat/application/port search:
search
Port(s) Protocol Service Details Source
5200 tcp,udp targus-getdata TARGUS GetData, Echolink, EchoMac (TCP)
Siemens SpeedStream 5200 with NetPort Software 1.1 allows remote attackers to bypass authentication via an invalid Host header, possibly involving a trailing dot in the hostname.
References: [CVE-2008-6916], [BID-32203]
https://www.speedguide.net/port.php?port=5200
(Edit) It appears Zyxel are no strangers to these botnet attacks. I wonder if other Zyxel router users are experiencing this?
Zyxel security advisory for the recent botnet attacks targeting PK5001Z
Edited by Natty (Tue 25-Aug-20 08:46:48)