To provide you with a general example, I'll use WordPress which uses PHP and MySQL/MariaDB. It's the target of a lot of attacks and a lot of sites fail to update core, plugins, and themes.
Let's say that you followed a very basic guide on how to setup NGINX, PHP, and MySQL on Ubuntu. That guide didn't tell you how to set things up properly, but you're not familiar with how things should be setup, so you assume to guide is correct.
PHP-FPM, by default, runs as the
www-data user, so you're files and directories would be owned by that user and group (which is pretty common). That user and group have read + write permissions otherwise WordPress would fail to work, or you'd have to do a lot of things by hand (not really a bad thing, but it slows things down).
Now, a tool such as
wpscan can be used on my end to analyze your website. I'll know exactly what plugins you have installed and if they are vulnerable. If you're running a vulnerable version of a plugin or WordPress itself, I can then see what the attack vector is.
From there, if one of the attack vectors allows me to upload a PHP file to your server without alerting you, I'm in and as long as I can execute that file, you're in trouble.
I could do something quick and easy like simply deleting your files:
$dir = __DIR__;
$cmd = shell_exec( "rm -rf $dir" );
All it takes is one execution of that file and boom, files are gone. But most attackers don't want to kill off their chances of doing more, so that most likely wouldn't be the most common incident.
So since I have access to upload files, I could upload something that does more damage to you than just deleting files. I can target your account so it looks like your abusing it.
If I see you're using a mail plugin, bingo. I can download the plugin, see what I need to do in order to interact with it and then mail blast whoever I want. It'll come from your account on both ends, so at the end of the day, all I did was write a little code to cause you some serious trouble (i.e. account suspension, deletion, etc).
I could also write something that would simply redirect traffic off your site and over to another -- perhaps something that looks like your site, and steal your visitors data.
Also keep in mind, if I can read your files using my scripts, I can read
wp-config.php which contains your database credentials. That means I know how to connect to your database, so that's probably my next target.
All of these are just examples of course -- what someone could do. The thing is, none of these have anything to do with your server other than permissions on your files. So in this case, using the most secure SSH key in the world and 20,000 KDF rounds isn't going to save you. All of these are web based attacks that you're firewall isn't going to pick up.
Now, if you happen to be running PHP-FPM or a service as
root and I can get in (which I've seen in many cases, sadly, on web-based apps), there's really no telling what I could do. I could do all the above far easier, upload my own SSH key, etc. At this point, I could sit idle and let you feed me data or I could just keep things moving along and do whatever I want. After all, with root access that works, it's root access, so there's not much you're going to do unless you find out how I got in and fix it.
At that point, with a root-level breach, you're better of identifying on the current server and firing up a new one, making sure you fix what was wrong with the other as you'd be asking for trouble trying to fix a rooted server.