It looks like a multi-steps symlink/tempfile local exploit to me. Check your system with forensic tools.
The cron file launching the command is probably in /etc/cron.d or has already been deleted if the exploit succeeded.
EDIT: now I've some more time to help you out, here are some hints IF it's an attack:
- the website at "/home/mavicomn/domains/userdomain.org/public_html/" probably has some Remote File Include or Remote Command Injection vulnerability, that's where the guy entered in your system; just guessing, it may be anything else
- there are many local root exploits targeting a symlink race condition when a file gets chowned; for example a guy could create a symlink "/tmp/some_automatic_file -> /etc/cron.d/non_existent" and trigger a root-running program to do "touch /tmp/some_automatic_file; chown myuser:myuser /tmp/some_automatic_file"; by consequence the user has now access to a cron config (/etc/cron.d/non_existent) and can do whatever is asked by the next step
- "/home/mavicomn/domains/userdomain.org/public_html/images/M_images/ad" is probably a script or precompiled application that does setuid(0)+setgid(0) then launches a shell, and needs root as owner/group plus the setuid bit (chmod +s) to work, it is part of the security exploit; if that's what happened, you should see a "chmod +s" just before or after the "chown root:root" in your logs
- I suggest you run "chkrootkit" and "rkhunter" that will catch any famous rootkit, programs that will make it difficult to you to clean your system; if you catch nothing with them, I highly suggest you to save an image of the entire system and do a fresh install, or pick the last complete system backup
If you need professional help just contact me in private.
If you just have a bad administrator that inserted that dangerous command in one of your cron files... fire him
Good luck.
