On the day it was hacked, once per hour for 12 hours I got an email from my crontab with a huge list of spam links. I don't see anything amiss in the crontab now. Any ideas what this was attempting to do? Or actually did?
The collection lives at /var/spool/cron/crontab (or .../crontabs)
One of the system logs should contain a trace of the jobs that were executed, as well as the user account that executed the job. The exact file is up to the configuration of the OS. (Most likely, either a dedicated cron log, or syslog. The service can show up as cron or CRON, so "grep -i" is needed to find them all.)