Today I did an upgrade of my virtualmin server. After upgrade, reboot, six services failed to start: Dovecot, proftpd, usermin, webmin, httpd and clamd@scan.
No relevant logs, nothing to see in journalctl -xe, messages, etc.
I restored the machine but the backup from two hours ago still had the same symptoms, so I suspected a potential hack, run rkhunter, etc. Nothing unusual.
Then I saw a trace in httpd journalctl that the http conf had an entry to a vhost which was deleted a few weeks ago. So there were traces of the deleted vhost in: Dovecot.conf Httpd.conf (ipkey, ipcert) ../authentic-theme (the user settings of the vhost were not deleted too)
The proftpd config file was broken („unable to use /etc/ssh/ssh_host_rsa.key as it is group or world accessible“) - had to comment the key sections out
clamd scan.conf was rewritten to use the same log file as the other clamav daemon service.
The /home/vhosts directories were deleted, though.
The only thing I can remember was that the respective user of the vhost changed the certificate settings of dns because he included a relay to an exchange server as mail system.
This is a bug to not delete all respective settings of a vhost and to allow bricking all the services of the shared webhost.
I did disable the services half a year ago and deleted them two weeks before the date of writing. Until today everything worked because no restart was issued. After update/restart, the server was bricked.