My FreePBX system has been hacked

So my trunk provider, Vitelity, detects unusual Intl call volume and shuts off International. Phew. Their call logs show about $50 worth of international calls from my IP 12/14/16 18:18.
I’ve checked my asterisk logs for the time and CDR and found no reference to that number.
What else can I check?
I was hoping to find the extension they went through or some clue.
Is there a “Tighten FreePBX Security Guide?”

Two possible vectors, a hacker got your Vitelity credentials and made calls by connecting directly to Vitelity, or they compromised your system and placed the calls through your PBX (and possibly both). If you can’t tell which, the safest way forward is to abandon the PBX and start from scratch on a new system. All SIP secrets are stored in plain text, so you proceed under the assumption they are now known.

No guide as such. Start with FreePBX 13 and configure the firewall to only permit access by trusted hosts. If that is not possible, enable responsive firewall to permit limited SIP/IAX access to untrusted hosts.

Thank you.
If they were made through the pbx, wouldn’t they have shown up in the logs?

Security basics:

  • Use official repositories and make sure you stay up to date
  • Don’t expose your box to the internet
  • If you MUST have your box on the internet whitelist IP addresses. Don’t let the world through, just Bob.
  • Use secure passwords for everything. Passwords for endpoints and sip accounts that don’t have to be typed by humans use 20 or 30 character passwords with mixed case, numbers and symbols.
  • Put up safe guards. It sounds like Vitality did this limiting your liability to $50 rather than $5000

logs are mysql they can be erased.
If they use custom dialplan they can opt out of the logs