Hi Dear Hestia devs & other readers,
been a long while I have had opportunity to visit here but now have recovered and doctor said can use my hands ( a little)
So I’ll describe the background and sorry I think this is not at all Hestia CP’s fault in any Way! It’s Robust Piece of Code, thank You Sirs, when I get my salary I’ll offer you a meal.
Server setup is basic: 1 purely dev& Database server and smaller one is web server. NS is handled with cloudflare on webserver and db server is connected through ipv4 (shame on me)
On last Friday I got an alarm that web server could not connect to external web server. I had not make any changes.
I noticed db servers bind was not working at all and also that all dormant user accounts were active. I did manage to took a backup but noticed right after that db size bumped up 35% (perhaps encrypted now?) also have had no luck/time yet to install sql backup anywhere to see how badly its hacked.
I think these sympoms might relate to (Ubuntu & Perl and rsync traversal ? ) So normal privileges might have gained root access?
I empahsize this is not related to Hestia CP but sort of the solution might be understand how to make steps to recover db and web server and make it safe without starting from scratch. Problem with db server is that great hosting provider (or attacker) made so that there were no automatic backups on hoster 
Also There was a bind installed and ha to install it again.
Downtime minimising is essential and If someone could help me get on the right track. So I did try to minimze damages spreading and used hestia cli command to suspend users, strange they have no domains and still following happens:
Configuration file ‘/etc/bind/named.conf.options’
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer’s version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** named.conf.options (Y/I/N/O/D/Z) [default=N] ?
named-resolvconf.service is a disabled or a static unit not running, not starting it.
Failed to preset unit: File /etc/systemd/system/bind9.service already exists and is a symlink to /dev/null.
/usr/bin/deb-systemd-helper: error: systemctl preset failed on named.service: No such file or directory
Processing triggers for systemd (245.4-4ubuntu3.24) …
Processing triggers for man-db (2.9.1-1) …
Processing triggers for ureadahead (0.100.0-21) …
Processing triggers for libc-bin (2.31-0ubuntu9.16) …
root@scrooge:~# sudo egrep “^slime1:!” /etc/shadow > /dev/null; echo $?
1
root@scrooge:~# v-suspend-user slime1
Error: user slime1 doesn’t exist
But, it does Slime1 I mean and a dozen of other Slimes
Sorry but I am not an server admin (they still don’t believe it 
and my bad hands and hosting companys reckless backup situation forces to use them too much all ready. I know clean install requires a load full of work and there are financial losses involved.
Anyway , have a very happy spring time. Try to rest too.
Brgds Viperzer0