What to do if Plesk server was hacked?

The server was hacked. What to do?

The most recommended way is to contact 3rd party security company to investigate the source of the attack as such companies are experienced in that matter. Once the issue is localized, it is highly recommended to migrate to the new server. When the attacker raised their privileges to the root level using malicious software, they can do whatever they want with the server. And even if some rootkits or malware were found during the investigation and cleaned up, there is no guarantee that there are no others left. The malware can be loaded to RAM, some backdoors enabled or cronjobs that have a task to download malicious software.

Restoring the server from the snapshot does not guarantee that the server is clean as well because it is not clear when the server has been compromised and malware was uploaded to the server. It could have been done months ago and activated just now.

How to find the way the server was hacked?

Third-party solutions that search for rootkits or malware provides the scanning based on known malware and can miss the ones that were never detected before. As a result, the report will be inaccurate. 

Contact 3rd party security company to investigate the root cause. Do not change anything on the server before the investigation starts. It will help to avoid losing traces and evidence.

How to prevent hacking in future?

Additional actions that can be done to protect the server from hacking are described in the article How to secure Plesk server?