I had not seen this previously. Symptom was website displayd only ERROR and nothing error related in logs. Apache access log showed the access but nothing beyond that. After some head scratching I looked at the database, it had been purged and replaced with table WARNING containing instructions on where to send bitcoin. I restored database from backups, I could guess which old copy was still OK by comparing size of database dump. The cracked ones were tiny, the good one was the latest with bigger size. Then change all password for that website and database. I do not know how the cracker managed to do this. It may be by guessing the database user password, or foxcontact (both cracked Joomla sites had Foxcontact) had some security hole. Or some other Joomla add-on. The server runs ISPConfig, I posted on this forum since nothing ISPConfig related in this cracking issue.