Task Schedulers

Hacked through docker, how to detect malware?

After the FW failure on the equipment, on two machines with linux ubuntu 16.04 server, all ports were open to the outside, only dockerd was spinning on one of the machines. As a result, the miner was picked up. When searching for files modified on the day of infection, a backdoor was found and removed. The attacker also closed the iptables docker port in rc.local and made the backdoor autorun.
The malicious script itself added itself to the cron to run every minute and added itself to the launch if there was no instance of it. At what after reset this rubbish was all the same downloaded and started.
Now all download paths are covered by FW, but after a reboot, cron is still started with a task to download and execute the script.
And I checked all known paths, rc.local, /etc/crontab, /etc/cron.d, dayly, weekly, mounthly, /var/spool/cron,
/etc/systemd/ and /lib/systemd as well as /etc/init and init.d
I killed cron, but someone adds entries to crontab. How to check which application is doing it?
The logs are full of entries:
Jun 19 19:28:52 DEV crontab[20141]: (root) DELETE (root)
Jun 19 19:28:52 DEV crontab[20142]: (root) REPLACE (root)
Jun 19 19:29 :02 DEV crontab[20330]: (root) DELETE (root)
Jun 19 19:29:02 DEV crontab[20331]: (root) REPLACE (root)