Why do syslog and uml-net have /home in /etc/passwd?

Inherited from old times and to not break stuff. Every line in /etc/passwd needs a home (see the addition below). And /etc/passwd is something we take as is as part of the Linux system (and not a Debian/Ubuntu specific feature).

In the old days syslog-ng was pretty common and that used /home/syslog/ to create a directory in there for each data source type.

Before the switch to systemd using rsyslog, storing logs in /var/log/syslog was more common. And systemd uses /run/systemd/journal/syslog.

See the man page:

/etc/passwd contains one line for each user account, 
with seven fields delimited by colons (“:”). These fields are:

   ·   login name
   ·   optional encrypted password
   ·   numerical user ID
   ·   numerical group ID
   ·   user name or comment field
   ·   user home directory
   ·   optional user command interpreter

The encrypted password and user command interpreter explicitly are mentioned as "optional". So I would assume the others are mandatory.

In my case the user was possibly created by a malicious crypto mining script, the give away was it was the last user added:

...
uml-net:x:114:118::/nonexistent:/bin/false

The server was likely infected by this: https://security.stackexchange.com/questions/201263/a-process-called-watchbog-is-mining-crypto-currency-in-our-server-how-do-i-st?noredirect=1&lq=1

It also left a ssh publickey login backdoor and various modified cron hooks. Your best bet is to re-install server with latest updates, and revision track /etc/ to help you notice differences - the latter helped me.

Some files had user group Debian-exim so likely this server got compromised due to this https://www.linuxtechnews.com/cve-2019-10149-debian-has-released-critical-security-update-for-exim/