Can you please point out the tutorial that stated to do that...
Forward port 32400
Other thoughts.
Considering just how few invalid login attempts there were, and that a login for ROOT did definitely get in, do you even have a password for the root user set? That alone would have slowed the attack down (wouldn't have stopped it, but may have given you time to have noticed it - btw, if you ran Fix Common Problems on a schedule (its currently disabled), then it would have alerted you to this)