Cloki cron malware hacked cPanel Hosting - Remove & Fix VirusWritten by Jatin Saini on .
Has your cPanel hosting recently been hacked by a malware called Cloki?
We have recently gone through fixing multiple hosting account located across multiple hosting providers that were under Cloki attack. Even the most popular ones like Hostgator & BlueHost are not protected from this attack.
Our current solution can help you instantly get out of the attack and protect your shared hosting account from being banned due to Cloki running multiple processes that overload the server.
While you might be thinking if our easy solution is a permanent fix or not, we call this an instant fix and the permanent solution will be more likely linked to having an updated website if you are using CMS such as WordPress or Joomla. Are you currently running on outdated CMS software? Contact IDL Web Inc Today to get instant support for Joomla Website Development and get your website scanned by experts.
How to fix Cloki Hack?
If you are using Hostgator or Bluehost, they have a dedicated area in Control Panel where you can watch the currently running processes. Open the running process list page in new tab. Also search for Cron Jobs and open it in a separate browser tab as well. Now, you need to do two tasks simultaneously, one is to kill the running tasks and remove the cron job. But as the CLOKI malware is running in memory, you have to repeat this procedure multiple times.
We followed a simple process of KILLING 3-4 running processes and then refreshing the CRON JOBS page and remove the newly created cron job. The cron job will keep adding back as the cCoki is running its malware in a cycle. To break in the cycle, keep killing 3-4 running processes and then remove the Cloki cron job. After few minutes of repetitive process killing and cron removal, you will find your hosting account out of the Cloki hack cycle.
If you thought that this was simple, the complex part follows, that is removal of modified files in the system.
First of all, access root folder of your hosting account and remove newly created files, namely CLOKI, WPRX, CONFIG.JSON or any other file that you find suspicious and has been created around the time when the file Cloki was created. Remember, the system is free from Cloki attack but your Website Software namely WordPress or Joomla might have already been infected. We cannot provide steps on how to cleanup hacked CMS files as it might vary from one setup to another.
Update your CMS to the latest version as soon as possible.
If you want us to deeply look into your website and repair/clean the installation, contact IDL Web Inc. We provide emergency same day Joomla repair services to help your business stay live and online.