On the PBX, start up ‘tcpdump -i eth0 host <IP of Phone>’ and see if there’s any traffic from the PBX to the phone. If that doesn’t do the trick, you might need to look at your network and see if someone, somewhere, is calling your extension using a direct “SIP” address. Doing a line capture that allows you to monitor the IP address of the phone will be required for this to work. This could be a problem with a bad machine on your network, someone playing around with a softphone, or someone outside your network ringing the phone.
If your DND is set on the server (and not on the phone), the DND setting will be ignored on a direct call to the extension from outside, so I’d probably start with the network checks. FMFM is the same deal - FMFM is a server function, not a phone function.
Once you are convinced this is not a PBX issue, the most likely explanation is that your phone is using port 5060 locally for SIP. Certain routers will leave that port open allowing malicious SIP packets from the internet to your phone. You can configure the phone (not the pbx) to use a different SIP port or the phone may have security settings you can enable so that it only accepts SIP packets from hosts to which it’s registered.