My mistake was to leave everything without strong passwords on extensions for too long. But I left it so I can easily test/debug the system. Now, I changed all passwords for every extension.
Although, 3cx was set to prevent calls to unauthorised countries, this is how intruder managed to make calls:
First, he tried to make simple call but he got blocked by 3cx:
################################
014/05/05 08:56:11.003|0012|Info(03)| Received event with ID: 12296 generated at: 5/5/2014 8:56:10 AM, written at: 5/5/2014 8:56:10 AM Message: Call from [100] to [9011441904899536] has been rejected by the 3CX Country Blocking Feature [01144].
Reason: 9011441904899536 contains Prefix 01144. Calls to 01144 are not allowed by system.
Resolution: To allow this call access the 3CX Management Console, Settings, Security, Allowed Country Codes and enable the country or continent that matches this prefix.
################################
Then he used this method to bypass limitation:
################################
2014/05/05 15:52:58.620|0008|Info(03)| SELECT value,kind FROM dnallocation
2014/05/05 15:52:58.635|0008|Info(03)| Parsing reposts file first
2014/05/05 15:52:58.637|0008|Info(03)| select max(idcallhistory3) from callhistory3;
2014/05/05 15:52:58.638|0008|Info(03)| insert into callhistory3 (idcallhistory3, callid, duration, starttime,answertime,endtime, from_no, to_no, group_no, line_no, caller_display_name, is_answ, is_fail, is_compl, is_fromoutside, CallerID, DialedNumber, lastCallerID, lastDialedNumber, mediaType, rate, totalcost, billprefix, BillRateName, GrpAnswDetail, recfile, callchain)values (396,'00000BDCFEA81795_123','00:00:00','2014/5/5 3:52:19 PM',null,'2014/5/5 3:52:51 PM','100','918764672962','','10000','Glavna Linija',False,False,True,False,'100','918764672962','100','18764672962',1,0,0,'','','-2','',E';100;918764672962;10000;' );
2014/05/05 15:52:58.640|0008|Info(03)| insert into CallDetails (IdCallHistory2, DetailNum, ParentDetailNum, Dest_num, StartTime,Dur, AnswerTime, Status, Is_Compl, SpecDstType, is_tooutside, dest_dn, OtherParty,BillPrefix, BillRateName, BillRate, BillCost) values (396,1,0,'18764672962','2014/5/5 3:52:19 PM','00:00:31.4740000',null,5,True,0,True,'10000','100','','','0','0' );
2014/05/05 15:52:58.641|0008|Info(03)| select * from myphone_parsecall(396, interval '-240 minutes')
2014/05/05 15:52:58.644|0008|Info(03)| select max(idcallhistory3) from callhistory3;
2014/05/05 15:53:58.649|0008|Info(03)| SELECT value,kind FROM dnallocation
2014/05/05 15:53:58.664|0008|Info(03)| Parsing reposts file first
2014/05/05 15:53:58.667|0008|Info(03)| select max(idcallhistory3) from callhistory3;
2014/05/05 15:53:58.668|0008|Info(03)| insert into callhistory3 (idcallhistory3, callid, duration, starttime,answertime,endtime, from_no, to_no, group_no, line_no, caller_display_name, is_answ, is_fail, is_compl, is_fromoutside, CallerID, DialedNumber, lastCallerID, lastDialedNumber, mediaType, rate, totalcost, billprefix, BillRateName, GrpAnswDetail, recfile, callchain)values (397,'00000BDCFEA8BC61_124','00:00:00','2014/5/5 3:53:01 PM',null,'2014/5/5 3:53:42 PM','100','918764672962','','10000','Glavna Linija',False,False,True,False,'100','918764672962','100','18764672962',1,0,0,'','','-2','',E';100;918764672962;10000;' );
2014/05/05 15:53:58.669|0008|Info(03)| insert into CallDetails (IdCallHistory2, DetailNum, ParentDetailNum, Dest_num, StartTime,Dur, AnswerTime, Status, Is_Compl, SpecDstType, is_tooutside, dest_dn, OtherParty,BillPrefix, BillRateName, BillRate, BillCost) values (397,1,0,'18764672962','2014/5/5 3:53:01 PM','00:00:39.9790000',null,5,True,0,True,'10000','100','','','0','0' );
2014/05/05 15:53:58.670|0008|Info(03)| select * from myphone_parsecall(397, interval '-240 minutes')
2014/05/05 15:53:58.672|0008|Info(03)| select max(idcallhistory3) from callhistory3;
2014/05/05 15:53:58.674|0008|Info(03)| insert into callhistory3 (idcallhistory3, callid, duration, starttime,answertime,endtime, from_no, to_no, group_no, line_no, caller_display_name, is_answ, is_fail, is_compl, is_fromoutside, CallerID, DialedNumber, lastCallerID, lastDialedNumber, mediaType, rate, totalcost, billprefix, BillRateName, GrpAnswDetail, recfile, callchain)values (398,'00000BDCFEA9603E_125','00:00:07.8950000','2014/5/5 3:53:43 PM','2014/5/5 3:53:50 PM','2014/5/5 3:53:58 PM','100','918764672551','','10000','Glavna Linija',True,False,True,False,'100','918764672551','100','18764672551',1,1,0.1278,'default','default','-2','',E';100;918764672551;10000;' );
2014/05/05 15:53:58.675|0008|Info(03)| insert into CallDetails (IdCallHistory2, DetailNum, ParentDetailNum, Dest_num, StartTime,Dur, AnswerTime, Status, Is_Compl, SpecDstType, is_tooutside, dest_dn, OtherParty,BillPrefix, BillRateName, BillRate, BillCost) values (398,1,0,'18764672551','2014/5/5 3:53:43 PM','00:00:07.6680000','2014/5/5 3:53:50 PM',6,True,0,True,'10000','100','default','default','1','0.1278' );
2014/05/05 15:53:58.676|0008|Info(03)| select * from myphone_parsecall(398, interval '-240 minutes')
2014/05/05 15:53:58.678|0008|Info(03)| select max(idcallhistory3) from callhistory3;
2014/05/05 15:54:58.684|0008|Info(03)| SELECT value,kind FROM dnallocation
##########################################
I think, 3cx should take a look at this. They were using "insert into call history" to make these calls. Maybe, this is the main reason, why recently attacks on 3cx are intensified?
As for the forwarding 5060 port on my router, I disabled it, and everything works fine.