I'm gonna cry. I'm a victim!

[UberC0der]

A couple of things jason-mis, first I can't help but notice that your attacker knows your first name, this is a big clue all by itself.

next, your secure log suggests that ssh is not properly configured. We have multiple warning lines at the beginning.

Looking here -->
Did not receive identification string from 140.186.76.196. ip from domain aasp.net probably rohode island area.
Jan 2 22:06:35 localhost sshd[23230]: Did not receive identification string from 127.0.0.1.
Jan 2 22:07:03 localhost sshd[578]: Received signal 15; terminating.
<snip>
Jan 3 07:52:36 localhost sshd[31117]: Did not receive identification string from 212.64.115.215. ip from domain casema.net, an ISP from the Netherlands
Jan 3 07:53:36 localhost sshd[31119]: Did not receive identification string from 127.0.0.1.
Jan 3 08:52:36 localhost sshd[23253]: Generating new 768 bit RSA key.
Jan 3 08:52:36 localhost sshd[23253]: RSA key generation complete.
Jan 3 13:28:43 localhost sshd[31254]: Did not receive identification string from 127.0.0.1.
Jan 3 13:33:14 localhost sshd[31337]: Did not receive identification string from 212.64.115.215. ditto
Jan 3 13:51:13 localhost sshd[31389]: Could not reverse map address 150.176.129.161. This ip is either spoofed, or is an internal network IP address. this is probably the IP of the attacker, probably.
Jan 3 13:51:17 localhost sshd[31389]: Accepted password for Admin from 150.176.129.161 port 1025 ditto, suspicious IP
Jan 3 14:10:20 localhost sshd[31469]: Accepted password for Admin from 216.77.74.2 port 64214 resolves to an IP from putnam-fl, a.k.a. bellsouth.net. you perhaps?
Jan 3 14:28:43 localhost sshd[23253]: Generating new 768 bit RSA key.
Jan 3 14:28:43 localhost sshd[23253]: RSA key generation complete.
Jan 3 14:33:16 localhost sshd[31553]: Bad protocol version identification 'ÿôÿý^F ' from 216.77.74.2 post attack connection attempt from the ip above.

The other question is where are all of the entries in wtmp. that log should have quite a bit in it, the fact that it does not is suspicious and leads me to believe that the entries were deleted, which is a common thing to do during an exploit.