Once something like this happens, only a complete re-install of the machine is going to fix the problem .. especially if that is the crontab file for the root user.
If you really want to see HOW the person got in, IF they have not implanted a root kit, then you could review logs like /var/log/secure and look for sshd entries.
But if your root user has been compromised, the only thing that makes sense is a complete re-install.
In the future, you can minimize ssh access issues by doing some smart things like:
Do not allow password logins via ssh ... only allow key based logins. This would mean that only people that have the correct private keys in their profile can log in.
Do not allow direct root logins (even with keys) and require all root access to be done via sudo. Then you can tell which users have used root access via the secure logs.
If at all possible, limit the open sshd port to a range of source IP addressees via iptables instead of open to all.
set SSHD to listen on another port rather than 22 from the outside (you can listen on port 22 AND the other port very easily). This step will not deter people who are actively scanning for ssh ports, but will prevent autoscans that only look at port 22.
You might also consider setting up a VPN that requires shared certificates to connect to your entire LAN. OpenVPN is one way to do this. Many routers can do this as well. Then you can get access to your LAN via the VPN and not expose each server directly to the Internet individually.