I host a linux server on my home network, and I recently was shocked to see 46,000 ssh login attempts over the past few months (looking in /var/log/auth.log). Of these, I noticed that there was one successful login into an account named "temp." This temp user was able to add itself to sudoers and it looks like it setup a cron job.

I deleted the user, installed fail2ban, ran rkhunter until everything was fixed, and disabled ssh password authentication. Absolutely carless of me to have not done this before.

A few days ago, I saw this message on my phone (I found this screenshot on google, but it was very similar):

https://discussions.apple.com/content/attachment/97260871-dbd4-4264-8020-fecc86b71564

This is what inclined me to look into this server's security, which was only intended to run a small nginx site.

What might have been compromised? What steps should I take now?

Edit: Distro is Ubuntu 22.04.4 LTS