They got in through a vulnerable script so search through your logs for the file in question (dc.txt). Then you can locate the hackers IP address.. and search for that also.
grep -i "dc.txt" /var/www/vhosts/*/statistics/logs/access_log
To search for general nasty commands trying to exploit vulnerable scripts:
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /var/www/vhosts/*/statistics/logs/access_log
Usually when someone gets access they try and hide code in any directory that's writable by apache:
Use these commands to search for .php , .pl, .cgi files which are owned by apache (they usually hide them in tmp or upload directories):
find / -name \* -user apache -ls | egrep '(\.php|\.cgi|\.pl)'
Also they usually like to drop a crontab entry for apache. Make sure that you can't have anything bad in your apache cron: