On compromised servers it is very common for the exploit to delete its self/logs to hide its presence.
Even though the executable may be removed from the filesystem as the process is forked from apache2 the parent process will still have file handlers open.
This will allow you to recover log files/executables as long as you do not kill the process.
To recover the files use the following steps:
Find the PID of the process with the open file handlers (use lsof)
cd /proc/ /fd where is what you found using lsof above
ls -lra and you should see a load of broken symlinks (red)
Copy the file using cp into another directory