We are experiencing several PBXs (so far 120 over the 300 we manage) with unauthorized web logins and international calls. They are all different customers, different networks (some on site, some cloud), different SIP trunks, different logins, different admin passwords (all protected by IP filter and under logs there are no logins with those credentials), bruteforce and 3cx global blacklist active, on some calls didn't go through because there was the "allowed country filter" enabled, STUN disabled from day 1 (and port 5060 is closed anyway). Only thing we noticed it's that they are all old PBXs that were in past on v18 (but may be unrelated since v20 it's quite new and we have PBXs from 2017).
Does anybody else is experiencing the same?
From 3CX support we got the suggestion to enable verbose logs for at least 5 days (and in general we'll enable this by default to every PBX we manage, since basic 1 day logs, that i can recover via VM snapshots, look unuseful because they do not track anything.
Update 8th May: 3CX is escalating the ticket internally