Hackers frequently scan for open TCP/UDP 5060. If your router has a voice-port in it, it will listen on these ports by default. Additionally, any incoming H323 or SIP call will match dial peer 0 by default, and then will be eligible to be routed out of your T1. By disabling SIP completely if you're not using it, you will mostly avoid this. Nearly every case I've seen of this has been SIP related even though the same thing is possible with H323. I suggest blocking TCP 1720 and UDP/TCP 5060 from the public, among other general security ports like 23 for telnet.
These are the paths to get to each CCX logs through CLI. They may be helpful if you are having issues accessing RTMT or downloading logs through it.
If you want to download them you have to prefix "file get " and you can add one of the options (re...