The server was hacked. What to do?
The most recommended way is to migrate to the new server. When the attacker raised their privileges to the root level using malicious software, they can do whatever they want with the server. And even if some rootkits or malware were found during the investigation and cleaned up, there is no guarantee that there are no others left. The malware can be loaded to RAM, some backdoors enabled or cronjobs that have a task to download a malicious software.
Restoring the server from the snapshot does not guarantee that the server is clean as well because it is not clear when the server has been compromised and malware was uploaded to the server. It could have been done months ago and activated just know.
How to find the way the server was hacked?
Third-party solutions that search for rootkits or malware provides the scanning based on known malware and can miss the ones that were never detected before. As a result, the report will be inaccurate.
If it is required to understand how the server was hacked, consider to contact a security company that investigates such cases. This is a recommended way since such companies are experienced in that matter.
Do not change anything on the server before the investigation starts. It will help to avoid losing traces and evidence.
How to prevent hacking in future?
Additional actions that can be done to protect the server from hacking is described in the article How to secure Plesk server?
