Missing Logs Made Apache Go Down

I woke up early this morning to an alert that apache was down. It appears it went down after the 4am rotating of the logs. When it refused to start, I looked in the /var/log/httpd/error_log.1 (error_log was empty) and found line after line of:

(2)No such file or directory: httpd: could not open error log file /home/“user”/logs/error_log.

The whole logs directory was missing for that account. I mkdir logs and added the error_log and apache started up.

What happened?

Okay… that site got hacked. It’s an OSCommerce site.

They installed a file manager and tried to access or delete massive amounts of server files, but looks like were met with “permission denied” on everything, except files owed by that virtual account.