What logs might help you determine how the website was defaced? What kind of information would you look for?

You run a website in an IaaS environment. You wake up to discover that your website has been defaced. Assume you are running a web server and an FTP server in this environment and that both an application proxy and a firewall sit between those servers and the Internet. All of your VMs are running SSH servers.

Some possible logs to look atand the SSH connection logs, FTP logs, application proxy logs, firewall logs, and server security event logs. Look for logins, connections from unknown IP addresses, file uploads, and changes to files.