Large HTML Posts: Spam or Security Threat?

TL;DR

Attackers are posting very large HTML pages on your website. This could be simple spam, but it’s more likely a malicious attempt to harm your site’s performance, SEO, or exploit vulnerabilities. Check for hidden code, redirects, and unusual server load. Scan with security tools and consider limiting post size.

1. Understand the Problem

Large HTML posts are suspicious because legitimate content rarely requires huge filesizes. Here’s why attackers use them:

• SEO Spam: Stuffing pages with keywords to try and rank higher in search results.
• Resource Exhaustion: Overloading your server, potentially causing a denial-of-service (DoS).
• Hidden Redirects: Sending visitors to malicious websites without their knowledge.
• Exploit Attempts: Injecting code that tries to exploit vulnerabilities in your website software or plugins.

2. Identify the Posts

Find the posts causing problems. Most content management systems (CMS) have tools for this.

• WordPress: Check the “Posts” section and sort by size. Look for unusually large files.
• Drupal/Joomla: Use the admin interface to list posts, sorted by file size or content length.

If you have a lot of posts, consider using a database query (if you’re comfortable with SQL) to find them:

SELECT title, post_content FROM wp_posts WHERE post_type = 'post' ORDER BY LENGTH(post_content) DESC LIMIT 10;

3. Inspect the HTML Source Code

This is the most important step! Don’t just look at what you see on the page – view the raw HTML source code.

• Hidden Redirects: Look for <meta http-equiv="refresh" content="0; URL=http://malicious.website/"> or JavaScript redirects (e.g., window.location = 'http://malicious.website/';).
• Obfuscated Code: Search for code that’s hard to read, often using base64 encoding or other techniques.
• External Scripts: Check for links to external JavaScript files from unknown domains. These could be loading malicious scripts.
• Iframes: Look for <iframe src="http://malicious.website/"> tags, which can load content from other websites.

4. Check Server Logs

Server logs can reveal more about the attack.

• Access Logs: Look for requests to these posts from unusual IP addresses or user agents.
• Error Logs: See if there are any errors related to these posts, which might indicate a failed exploit attempt.

The location of your server logs depends on your hosting provider and web server (e.g., Apache, Nginx).

5. Scan with Security Tools

Use security plugins or online scanners to check for malware and vulnerabilities.

• WordPress: Use plugins like Wordfence, Sucuri Security, or MalCare.
• Online Scanners: Try VirusTotal or Sucuri SiteCheck (https://sitecheck.sucuri.net/).

6. Limit Post Size

Prevent future attacks by limiting the maximum size of posts.

• WordPress: Use a plugin like “Limit Post Length” or edit your theme’s functions.php file (advanced).
• Other CMS: Check your CMS documentation for options to limit content length.

A reasonable post size limit is usually around 5-10MB, depending on your website’s needs.

7. Restore from Backup (If Necessary)

If you find evidence of a serious compromise, restore your website from a clean backup taken before the attack occurred. Make sure to update all software and plugins *before* restoring.

8. Improve cyber security generally

• Keep your CMS, themes, and plugins up-to-date
• Use strong passwords and two-factor authentication
• Regularly back up your website