Trying to understand (My system was hacked)

I recently saw some strange cdr records in my system. I thought our son had been playing with the GigaSet calling random numbers as the calls happened in the early morning.
But now when I checked the call log of the GigaSet there were no calls made after all.
So first thing I did was to change the secret of the phone and changed the outgoing routes so only free calls can be made. (Inside the USA/Canada with GV, and to Holland via a dutch provider)
But what I am trying to understand is that how it was possible as I don’t allow external registrations calls have been made and in the CDR they seem to be placed by my internal extension (701) with context from-internal.
Luckily the damage so far is only Euro 8.08.
Furthermore I have no portforwarding whatsoever towards my freepbx.
All successful calls have been made to Slovenia for 24.5 cents a minute :frowning:

Somehow it looks like a IP address from Palestine registered my internal extension
Registered SIP ‘701’ at

Server Details

IP address:
Server Location: Palestinian Territory
ISP: Palestine Telecommunications Company (PALTEL)

I also know that fail2ban is a helpful tool and will not completely safe you from intrusion but why sometimes only reporting after 40+ times while it is configured to report much sooner?