What types of things happen when a web server gets hacked.

These are just some of the things, and it really depends on the server, the type of data being stored, whether it’s in a server farm, or if it’s actually at a facility like an office. The outcome for each of these can be massively bad depending on a variety of factors, because after all, a server being hacked is never really a good thing, unless you’re the one doing the hacking, and that’s only if you’re a black hat.

On most web servers there is code, acres and acres of code. If the server is using a dynamic language for page creation, like PHP or ASP, then there are likely database connections at play. These databases likely contain the information someone would normally expect to find on such a server. There are the usual types of information, username, password, name, e-mail address, etc. If the server hosts a medical site, it might have personal information, all of which should be encrypted where it is stored. If the server were for controlling something else, then it would likely have access to that something, like a web-controlled automation system for instance.

Why would it be hacked?

Different information has different values on the black market. Most of the usernames and passwords, and e-mail addresses have value because they can be used on other servers in order to gain access to something else (example): Website A is compromised, Twitter account is hacked with the same credentials. Things like Social Security numbers can be used to not only try to impersonate someone’s identity, but they can also be used to defraud the Social Security system with new fake accounts. Medical information is probably only beneficial to someone who would care about it, depending on the target. So if it contained medical info about a person who was in politics it might have a value if they had certain medical conditions that weren't disclosed to the public, but if it’s about Grandma’s arthritis, probably not; unless they’re going to use it for spamming or phishing Grandma for pain meds which could theoretically happen.

If the server’s housed in a server farm, it’s likely on a restricted network. Likely it doesn’t talk to anything else on that restricted network. While it could be used to pivot if the attacker gained access to things outside of the web server, or the website, it’s likely not going to happen. Usually what happens with a web server in a place like a server farm is hacked, it’s immediately used for its bandwidth in that prominent place: new databases are created, new websites hosted, traffic diverted, data and server farms have something everyone wants, real estate. If the server is locked down to prevent those things, then only the website is hacked, and this could allow an attacker to use the website to collect information on the users for forwarding to the attacker's own servers, or they could serve malware or viruses from the compromised server to infect workstations. If the website has write access for the web server, then files can be injected and a back door created. Then the user can read the databases with the site's permitted database connections. If the account the website runs under on the computer has enough permissions, then the user can do other things to the server like make more servers, turn on services on the server that aren't currently running and install things like proxy servers, VPN systems, and host other things on the box like voice communications, video hosting, a lot of possible options. 

If the server is in an office there are a variety of other things that can become compromised. If the site itself is only compromised, then the system would have the same things that could happen as in a server farm. If the user gains access to the server itself, and that server is also a domain controller and the admins use the same username “admin” with the same password, then the users can try to login to that server to control the domain, the e-mail accounts, the domain routing, and the website. On a domain controller, now they can collect anything within the network as traffic that's not encrypted. If they setup a man-in-the-middle attack they can actually steal the encrypted data too. They can also leech information from the server as well as try to use it to pivot attack other systems on the same network if it's not a domain controller. With enough access they can install applications and still perform the data mining, then spoof packets and routes and still take traffic meant for elsewhere. It really depends on where the box is on the network infrastructure.

If the server is locked down so that the user is restricted to the website and database by itself, the user can still create new websites and databases. There is also the issue of the external IP for the network being blocked if the server is used to send spam or phishing e-mails; e-mails can be sent from web servers. Also there is the issue of bandwidth as more access to the server can bring down a network.

How to prevent a hack?
Management need to contact their IT people and ask them about the permissions, restrictions, and infrastructures in place on the network; make sure they're familiar with all of the risks at hand. Web designers need to contact the webmasters if they think there is an issue. If a different company hosts the website, then check their procedures, if they don't seem "secure" then move the site to a better host.