1. Look through the logs and find out what they broke into the server through - ssh, ftp, http or whatever else you have to spin there
   Maybe the article https://habrahabr.ru/company/sprinthost/blog/125839/ will somehow help
   Like 0 comments

Any hack is eliminated in three stages:
1) Turn off the affected computer.
2) Loading from a reliable medium (flash drive) and studying the logs, searching for traces of hacking, finding out the method of defeat and identifying the vulnerability that allowed the attack, as well as the changes made by the hacker.
3) Reinstalling the entire system, optionally - restoring content from a backup, closing detected holes (for example, updating plugins for wordpress if you have its engine), changing all passwords, starting the server.
You can do without reinstallation if you are sure that the cracker could not get root rights and install rootkits. But it is better to play it safe right away than to find out two days later that everything was in vain.

Сильно вероятно что "ломают" через http т.к. не настроены права нормально на доступы или используете свои самописные странички.

В Вашем случае лучший вариант: заплатить специалистам.

if you access the server from static ips, restrict access to ssh only from these ips. close access to ssh for root. Monitor top for suspicious files (I got fshquyrwb something like this).

We had a break-in. In nginx, I began to write almost all important information about the user to the log. As a result, I saw in the logs that the "admin" (by cookie) is flooding the shell through a hole in the adinka.