Actually that doesn't require a trunk to be configured, but it does require port 5060 to be forwarded to the core.
The hackers are hunting for externally accessible extensions with weak passwords, the call is just a result of a failed attempt & asterisk shunting the connection to the default incoming route. The number in the 3rd column of the log is likely the extension number they tried to connect as.
If there is no need for external SIP extensions, remove any port forwarding for port 5060, it shouldn't be required for trunk connections.
Regards,
Josh