That's bizarre - but it still has me wondering how the
FTP traffic got in, through NAT. If they weren't on the correct FTP port (21) the login attempts would not have registered at all. So I don't think uPNP is the final answer here, and would still check for any Port Forwarding settings on the HomeHub.
I'm a bit rusty on the issues, but I'm reading about some of the problems with uPNP, and they include security holes in its Internet Gateway Device spec. According to a report on
Wikipedia, a Flash applet on a website can get a uPNP-enabled router to set up port forwarding, exposing a computer to internet attacks.
Basically, uPNP devices within a small network will negotiate (without your knowledge) with a uPNP-enabled router in order to open the relevant ports required for the services the device wants to use.
Hence, the NAS firmware's uPNP has told the HomeHub that it wants to open 20/21 and the HomeHub has duly obliged.....leaving an FTP service open on the internet, which has subsequently been found by script kiddies with probes looking at 20/21 on a range of IP addresses.