That should give an idea of how the service was compromised. It will narrow the search parameters as to finding what was used. Looking for a cluster of 4xx responses may help as most compromises scan the server for vulnerabilities before striking.
If there's nothing in the web server log, or there are pieces missing, then you have a much bigger problem as that would indicate some type of privilege escalation beyond the web server.
Penetration testing tools like OpenVAS can be used to check for known holes, but as Digital Ocean has already made changes, that may no be very helpful at this stage. OpenVAS is a competent free tool, but can be a bear to get running from scratch. Some Linux distributions include it. (Kali Linux does. This is a specialist pen testing live disc distro.)
If there's nothing in the web server log, or there are pieces missing, then you have a much bigger problem as that would indicate some type of privilege escalation beyond the web server.
Penetration testing tools like OpenVAS can be used to check for known holes, but as Digital Ocean has already made changes, that may no be very helpful at this stage. OpenVAS is a competent free tool, but can be a bear to get running from scratch. Some Linux distributions include it. (Kali Linux does. This is a specialist pen testing live disc distro.)