911 Hack Removal

Removing the Cloki Malware from WordPress & Joomla Websites (Website Slowdown)

Updated on: March 29, 2020

Removing the Cloki Malware from WordPress & Joomla Websites (Website Slowdown)

What is Cloki Malware?

A new kind of malware has surfaced, dubbed as “Cloki” which has been slowing down (& also crashing) vulnerable Joomla & WordPress websites. The malware is able to execute core system commands without having access to cPanel or SSH. It is able to add a cron job so that the malware code is executed repeatedly in a very short time. This causes the server resources to be maxed out, making your WordPress and Joomla websites slow. We  have seen cases where hosting accounts like like GoDaddy, Hostgator, and InMotion have suspended the Linux shared hosting accounts of website infected with Cloki.

COKI malware sending emails (spamming)

How to check if you are hacked with Cloki

  1. Check the Cron Jobs/CronTabs running on your server (via cPanel): If you see a cron job you have not added, which looks like this:

    root@<owner>:/home/<owner># crontab -l -u <owner> */4 * * * * pidof cloki || exec removed script”

  2. Check for files with the following name on the server. They are usually located in the home directory of your user:
    1. cloki
    2. mip
    3. udic
    4. wprx
    5. xmcc
CLOKI malware on Joomla server
Screenshot of malicious files in a FTP app

How to Fix Cloki Malware

  1. Temporarily disable/suspend your hosting account via the cPanel/WHM or by raising a ticket with your hosting company
  2. Create a custom php.ini fine in the public_html folder that has the following ‘disable_functions’ added:
    show_source, system, shell_exec, passthru, phpinfo, popen, proc_open, allow_url_fopen, eval, exec, parse_ini_file, open_base, symlink.
  3. Delete the Cloki cron job which you must have found in the earlier section.
  4. Delete all instances of the malicious files mentioned below:
    1. cloki
    2. mip
    3. udic
    4. wprx
    5. xmcc
  5. Re-enable your hosting account and monitor the website for a few minutes.
  6. Check the files or cron jobs if have been created again by the malware

How to Protect Joomla and WordPress from Cloki

  1. Protect the site with a Web Application Firewall (WAF)
  2. Disable dangerous PHP functions on the server using the the php.ini file as mentioned in the previous section.
  3. Update the CMS & plugins, i.e WordPress & Joomla core versions
  4. Check for vulnerable file upload areas in your website. Make sure
  5. Regularly monitor file & cron job changes on the server

Removing Cloki can get a little tricky. The malware has a tendency to reinfect very quickly. By the delete you one file/cron job, another gets created almost instantly. If you want help in cleaning this infection from your website, head over to our website cleanup & malware removal page.

Was this post helpful?

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France). At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cybersecurity community and shared his knowledge at various forums & invited talks.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
Website Design Oakville

Excellent blog post. I used to be looking for something very different,
but stumbled on your blog. I am glad I did. Many thanks for sharing

useful information. Thank you and all the best.

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany