Strato package suspension due to the distribution of harmful software
Strato ranks third among Germany’s largest web hosts, directly behind 1&1 Ionos and Hetzner. Through aggressive €1 marketing and large-scale "Service Champion" advertising campaigns, the provider has gained a market share of almost 14% over the years.
Accordingly, the share of our customers who host their website at Strato is also high. In principle, Strato is well equipped in terms of security features. However, if a hack occurs, the malware handling is poorly implemented.
If the server-side malware scanner finds malicious files as a result of a hacker attack, the hosting package is promptly suspended and you receive an email with the subject line "Sperrung Ihres Paketes ...".
From now on, every call to the website(s) in the package will display the notice
"This website is currently not reachable."
The reactivation process is very complex and time-consuming compared with all other hosters. Without professional support, the process can take one week or even longer in some cases. Here you will learn why this is the case and how we can get your hacked website back online the same day immediately after cleanup.
Strato - website is currently not reachable
Of course, it is frustrating when a well-visited website suddenly becomes unavailable. In that respect, however, Strato cannot really be blamed, as a hacked website poses a potential risk to all website visitors. The block prevents the hack from spreading further, and spam emails can no longer be sent via the website either (a common consequence of a hacker attack).
Instructions for unblocking
In Strato's blocking email, a handful of malicious files are mentioned by way of example. However, this list is rarely complete and is intended only as a starting point for cleanup. Based on the modification time of the files, you may be able to identify a backup that was created before the hacker attack.
Please note that a hack often only becomes noticeable some time after the actual attack. Strato provides backups by default for a period of the last 4 weeks: https://www.strato.de/...auf-ein-backup-ihrer-homepage-zugreifen/
In many cases, even the oldest backup is already infected.
Communication with the Abuse department - patience is required
Once the cleanup of the account has been completed, reply to the blocking email at abuse[at]strato.de and request reactivation. The catch is that every response from the Abuse department takes around 3 to 7 days.
If the restored backup also contains malicious files, or if additional malicious files are present that were not previously listed by support, the matter is extended by several days with each attempt. For this reason, it is very important to proceed thoroughly and carefully, or to contact an expert directly.
Our approach in the special case of Strato
First, we create a backup of the current state in the SSH console. The following command creates a compressed archive file of all files on the webspace:
tar cfvz backup.tar.gz *
Since phpMyAdmin is also blocked, we then back up the associated database(s) using the following commands:
Auflistung der zur Verfügung stehenden Backups für einen Datenbank User
mysqlbackups U123456
Export einer SQL Datei in das Hauptverzeichnis auf dem Webspace
mysqldump --add-drop-table -h mysql_[DATUM]-[ZEIT] -u [Benutzername] -p [Datenbankname] > [Dateiname].sql
The data is then downloaded and the website is cleaned on our server.
As soon as the website has been fully cleaned and secured, we put your online presence back online immediately. This is achieved by temporarily redirecting the domain's A record to the IP address of our server. Email traffic remains unaffected and continues to work.
In the final step, the clean version is transferred back to Strato and reactivation can be requested.
As soon as the package has been unblocked again (which, as mentioned, can take up to a week), we remove the temporary IP redirect and the domain points back to the Strato webspace - this completes the job.
- Details
- Last Updated: 09 August 2019
