Strato package suspension due to distribution of malicious software

Strato ranks third among Germany’s largest web hosting providers, directly behind 1&1 Ionos and Hetzner. Through aggressive €1 marketing and large-scale 'Service Champion' advertising campaigns, the provider has built up a market share of nearly 14% over the years.

Accordingly, a large proportion of our customers also host their website with Strato. In principle, Strato is well positioned in terms of security features. However, if a hack occurs, the malware handling is poorly designed.
If the server-side malware scanner finds malicious files as a result of a hacker attack, the hosting package is immediately suspended and you receive an email with the subject line 'Suspension of your package ...'.

Strato - This website is currently unavailable

Of course, it is frustrating when a well-visited website suddenly becomes unavailable. In this respect, however, Strato cannot really be blamed at first, since a hacked website poses a potential risk to all website visitors. The suspension prevents the hack from spreading further and also stops spam emails from being sent via the website (a common consequence of a hacker attack).

Instructions for reactivation

In Strato’s suspension email, a handful of infected files are listed as examples. However, this list is rarely complete and is intended only as a starting point for the cleanup. Based on the modification timestamps of the files, you may, with some luck, be able to identify a backup that was created before the hacker attack.
It is important to note that a hack often only becomes noticeable some time after the actual attack. By default, Strato provides backups covering the last 4 weeks: https://www.strato.de/...auf-ein-backup-ihrer-homepage-zugreifen/
In many cases, even the oldest backup is already infected.

Communication with the abuse department - patience is required

As soon as the account cleanup has been completed, reply to the suspension email at This email address is being protected from spambots. You need JavaScript enabled to view it. and request reactivation. The catch is that each response from the abuse department takes around 3 to 7 days.
If the restored backup also already contains infected files, or if there are additional infected files that were not previously listed by support, the matter is extended by several more days with each attempt. For this reason, it is very important to proceed thoroughly and carefully or to contact an expert directly contact.

Our approach in the special case of Strato

First, we create a backup of the current state in the SSH console. The following command creates a compressed archive file of all files on the webspace:

tar cfvz backup.tar.gz *

Since phpMyAdmin is also locked, we then back up the associated database(s) using the following commands:

List of available backups for a database user
mysqlbackups U123456

Export an SQL file to the main directory on the webspace
mysqldump --add-drop-table -h mysql_[DATUM]-[ZEIT] -u [Benutzername] -p [Datenbankname] > [Dateiname].sql

Next, the data is downloaded and the website is cleaned on our server.

As soon as the website has been fully cleaned and secured, we put your website back online immediatelyThis is achieved by temporarily redirecting the domain's A record to our server's IP address. Email traffic remains unaffected and continues to function normally.
In the final step, the cleaned version is transferred back to Strato and reactivation can be requested.

As soon as the package has been unlocked again (which, as mentioned, can take up to a week), we remove the temporary IP redirect and the domain points to the Strato webspace again - with that, the job is complete.

• Previous
• Next