What is Cloki Malware?

A new kind of malware has surfaced, dubbed as “Cloki” which has been slowing down (& also crashing) vulnerable Joomla & WordPress websites. The malware is able to execute core system commands without having access to cPanel or SSH. It is able to add a cron job so that the malware code is executed repeatedly in a very short time. This causes the server resources to be maxed out, making your WordPress and Joomla websites slow. We  have seen cases where hosting accounts like like GoDaddy, Hostgator, and InMotion have suspended the Linux shared hosting accounts of website infected with Cloki.

COKI malware sending emails (spamming)

How to check if you are hacked with Cloki

  1. Check the Cron Jobs/CronTabs running on your server (via cPanel): If you see a cron job you have not added, which looks like this:

    root@<owner>:/home/<owner># crontab -l -u <owner> */4 * * * * pidof cloki || exec removed script”

  2. Check for files with the following name on the server. They are usually located in the home directory of your user:
    1. cloki
    2. mip
    3. udic
    4. wprx
    5. xmcc
CLOKI malware on Joomla server
Screenshot of malicious files in a FTP app

How to Fix Cloki Malware

  1. Temporarily disable/suspend your hosting account via the cPanel/WHM or by raising a ticket with your hosting company
  2. Create a custom php.ini fine in the public_html folder that has the following ‘disable_functions’ added:
    show_source, system, shell_exec, passthru, phpinfo, popen, proc_open, allow_url_fopen, eval, exec, parse_ini_file, open_base, symlink.
  3. Delete the Cloki cron job which you must have found in the earlier section.
  4. Delete all instances of the malicious files mentioned below:
    1. cloki
    2. mip
    3. udic
    4. wprx
    5. xmcc
  5. Re-enable your hosting account and monitor the website for a few minutes.
  6. Check the files or cron jobs if have been created again by the malware

How to Protect Joomla and WordPress from Cloki

  1. Protect the site with a Web Application Firewall (WAF)
  2. Disable dangerous PHP functions on the server using the the php.ini file as mentioned in the previous section.
  3. Update the CMS & plugins, i.e WordPress & Joomla core versions
  4. Check for vulnerable file upload areas in your website. Make sure
  5. Regularly monitor file & cron job changes on the server

Removing Cloki can get a little tricky. The malware has a tendency to reinfect very quickly. By the delete you one file/cron job, another gets created almost instantly. If you want help in cleaning this infection from your website, head over to our website cleanup & malware removal page.

Was this post helpful?



Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Ananda Krishna

Ananda is a security researcher at Astra. Working in the cybersecurity field for more than six years, he possesses acute knowledge of the subject. He's actively involved in the cyber security community and shared his knowledge at various forums & invited talks.

2 Comments

  1. Website Design Oakville - Reply

    Excellent blog post. I used to be looking for something very different,
    but stumbled on your blog. I am glad I did. Many thanks for sharing

    useful information. Thank you and all the best.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close