Site icon Astra Security Blog

Removing the Cloki Malware from WordPress & Joomla Websites (Website Slowdown)

What is Cloki Malware?

A new kind of malware has surfaced, dubbed as “Cloki” which has been slowing down (& also crashing) vulnerable Joomla & WordPress websites. The malware is able to execute core system commands without having access to cPanel or SSH. It is able to add a cron job so that the malware code is executed repeatedly in a very short time. This causes the server resources to be maxed out, making your WordPress and Joomla websites slow. We  have seen cases where hosting accounts like like GoDaddy, Hostgator, and InMotion have suspended the Linux shared hosting accounts of website infected with Cloki.

How to check if you are hacked with Cloki

  1. Check the Cron Jobs/CronTabs running on your server (via cPanel): If you see a cron job you have not added, which looks like this:

    root@<owner>:/home/<owner># crontab -l -u <owner> */4 * * * * pidof cloki || exec removed script”

  2. Check for files with the following name on the server. They are usually located in the home directory of your user:
    1. cloki
    2. mip
    3. udic
    4. wprx
    5. xmcc
Screenshot of malicious files in a FTP app

How to Fix Cloki Malware

  1. Temporarily disable/suspend your hosting account via the cPanel/WHM or by raising a ticket with your hosting company
  2. Create a custom php.ini fine in the public_html folder that has the following ‘disable_functions’ added:
    show_source, system, shell_exec, passthru, phpinfo, popen, proc_open, allow_url_fopen, eval, exec, parse_ini_file, open_base, symlink.
  3. Delete the Cloki cron job which you must have found in the earlier section.
  4. Delete all instances of the malicious files mentioned below:
    1. cloki
    2. mip
    3. udic
    4. wprx
    5. xmcc
  5. Re-enable your hosting account and monitor the website for a few minutes.
  6. Check the files or cron jobs if have been created again by the malware

How to Protect Joomla and WordPress from Cloki

  1. Protect the site with a Web Application Firewall (WAF)
  2. Disable dangerous PHP functions on the server using the the php.ini file as mentioned in the previous section.
  3. Update the CMS & plugins, i.e WordPress & Joomla core versions
  4. Check for vulnerable file upload areas in your website. Make sure
  5. Regularly monitor file & cron job changes on the server

Removing Cloki can get a little tricky. The malware has a tendency to reinfect very quickly. By the delete you one file/cron job, another gets created almost instantly. If you want help in cleaning this infection from your website, head over to our website cleanup & malware removal page.

Exit mobile version