Tty logins on VM's from unknown source


I’ve recently started to admin a 3-node server running OpenNebula 5.0.2-2 installed from packages on a Ubuntu 16.04 server, the problem is that somebody is able to access the VMS through the linux console, as if logging in through the VNC in sunstone. Somehow he manages to reboot the VM, add a user and than login with that username form tty1.

user tty1 Mon Nov 12 11:06 - 11:10 (00:03)
reboot system boot 4.4.0-138-generi Mon Nov 12 10:56 still running

This happens on all the VMs, sometimes the user is “user” without privilege, sometimes the user is “setup” with uid0 running some crappy crypto-mining program.
I’ve tried everything I could think of, changed all the passwords for all the accounts, changed the sunstone oneadmin password, allowed connections to sunstone just from my IP through iptables, and finally completely shutdown opennebula-sunstone and opennebula-novnc services to no avail, somehow he is still able to access the console, reboot it and create a username. The logs are of no help, there’s nothing in oned.log, vm.log or sunstone. Auth log only has this :
Nov 12 10:50:46 vmz login[3435]: pam_unix(login:auth): check pass; user unknown
Nov 12 10:50:46 vmz login[3435]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost=
Nov 12 10:50:49 vmz login[3435]: FAILED LOGIN (1) on ‘/dev/tty1’ FOR ‘UNKNOWN’, Authentication failure
Nov 12 10:51:28 vmz systemd-logind[623]: New seat seat0.
Nov 12 10:51:28 vmz systemd-logind[623]: Watching system buttons on /dev/input/event0 (Power Button)

He doesn’t have direct access to the main server or the 2 slaves, i’ve checked everything i could think of, but somehow he does have access to OpenNebula, any ideea on this is possible or how to fix it would be greatly appreciated, the VM’s are production servers, rebuilding the entire OpenNebula is not an option, also it looks like they are more interested in running the crypto-mining crap instead of doing any other damage to them, but still, I can’t let this keep going on.

Versions of the related components and OS (frontend, hypervisors, VMs):
OS: Ubuntu 16.04 with the latest updates.
OpenNebula 5.0.2-2 installed from ubuntu packages.
ii opennebula 5.0.2-2
ii opennebula-common 5.0.2-2
ii opennebula-node 5.0.2-2
ii opennebula-sunstone 5.0.2-2
ii opennebula-tools 5.0.2-2
ii ruby-opennebula 5.0.2-2
qemu-kvm 1:2.5+dfsg-5ubuntu10.32
ceph 10.2.10-0ubuntu0.16.04.1