- If you determine you've been hacked, take your webserver off the network please. Your server may be serving malware, spamming people, functioning as part of a botnet and serving bad stuff for the bad guys.
If you are using Apache webserver, take a look at some of the other Log modules provided by Apache. These can help you track down if your webserver is doing anything strange. These two sound relevant:
Logging actual bytes sent and received
mod_logio adds in two additional LogFormat fields (%I and %O) that log the actual number of bytes received and sent on the network.
Forensic Logging
mod_log_forensic provides for forensic logging of client requests. Logging is done before and after processing a request, so the forensic log contains two log lines for each request. The forensic logger is very strict with no customizations. It can be an invaluable debugging and security tool.