Logs: "Received disconnect from..." without the "Accepted" couterpart
it is brute force attacks
this is method try to find login access by sending login request then testing the result, as long as result is not logged in, it retry another combinaison of login/password until access is granted
mainly aimed on internet:
- FTP (usualy port 21)
- SSH (usualy port 22)
- TS (usualy port 3389)
- Web site login pages (usualy port 80 & 443)
to prevent this kind of attacks:
- (if possible) changing default port
- having a complex password
- trying to avoid use of basic login name (admin/root/administrator,...)
- having a "fail attempt" temporizer, like that it will take too much time to find the good login/password combinaison.
Today most of system tool are enougth secure against this kind of attacks
i don't think you get hacked unless you had an low couple login/password level. this log don't say anything except the attemps failed.
if Hackers got logged in they would have deleted all logs, not only some logs (too much time for nothing).
What you can do (if you really think you have been hacked) is to check if you have a period without logs or missings logs.
as suggeted you can use some tool to prevent thoose attacks like fail2ban
For information the message SSH2_DISCONNECT_BY_APPLICATION
in your case mean that this is a zombie login attempt from a botnet that is authored in Java
It is just a "spam" from probes browsing the internet. They are not dangerous if you don't allow password authentication. These messages are probably only the noise, since they usually don't know any other authentication than password.
To reduce the noise it is possible to set up some fail2ban
, fwknop
or move the service to other port.