I once did 6 hours of forensics on myself trying to figure out how I got hacked, after finding a second sshd spawning from inetd on port 666.
Turns out, I'd installed it myself years earlier as a backstop for failed ssh upgrades & forgotten I did so. DUH!