vi-postlogger

  • I’ve pluginized the code that logs all $POST variables sent to your WordPress blogs. This ought to make it easier for people to see what is actually going on on their sites.

    Why would you use this?

    In a nutshell, Apache does not provide enough information for tracking down the source of exploits. A typical Apache log entry only shows the file name, the time it was accessed and some user-agent info.

    Unfortunately, if a site is being actively exploited, this isn’t enough information.

    postlogger will capture the actual variables sent to the file:

    comment = SO ON AND SO FORTH
    submit = Submit Comment
    comment_post_ID = 1
    _wp_unfiltered_html_comment = e09c655751
    66.41.1.1
    /wp-comments-post.php
    April 16, 2008, 5:30 pm
    ————–**********——————

    Here is an even more illustrative example:

    cookie = wordpressuser_5ef523d2e8a7d3002049a4b753d004ba=admin%27 and IF(ORD(SUBSTRING(user_pass,25,1))>48,(select 1 from wp_options),0)/*; wordpresspass_5ef523d2e8a7d3002049a4b753d004ba%3dx
    195.225.176.66
    /wp-admin/admin-ajax.php

    That is a real life exploit for an older version of WordPress – it was captured using my code. The Apache log entry for this shows nothing more than the filename, the time. and the U-A.

    Ive gone over the installation instructions in the permalink, and in a readme.txt that is included in the zip file. Please pay close attention to #1 and #2

    Download and permalink:

    https://www.village-idiot.org/post-logger

Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter whooami

    (@whooami)

    Oh! And before these questions get asked.

    1. why not log the data to mysql and forgo using a plain text file?

    Because postlogger logs everything. If your site gets comment spam, it gets logged. And a good deal of comment spam is many lines long, 20-30 links worth. In other words, the people that complain about having the db full of crap would have fits.

    2. Why not have the plugin create the logfile and put it inside wp-admin, and then make it linkable from the admin?

    Thats easy enough to do, but I decided against that for multiple reasons. While someone that has admin access can potentially read the plugin via the plugin-editor screen and get the path to the log file, they do have to work *a little* to get to it.

    Linking to it in the admin i’face would allow all admins to read the file, including admins that you might not have added, ie, rogue admins.

    The only way I would reconsider that change would be to “key” the logfile so that it was necessary to enter extra data like a key or a password to view it.

    Ideally, it’s simpler just to place the text file outside of your public_html, and to have it viewed only after downloading. Second to that would be placing it in directory with an obscure name, and then naming the logfile, itself with an obscure name.

    Thank you for ‘pluginizing’. ??

    Thread Starter whooami

    (@whooami)

    youre welcome ?? I figured that would make it easier on people.

    I can’t seem to get through to the link provided above. It redirects to a page that just won’t load (server overwhelmed?). In any case, I wonder, could you post this plugin to https://www.ads-software.com/extend/plugins/? Thanks!

    Thread Starter whooami

    (@whooami)

    Hi, sorry no. My plugins arent hosted there, and wont be. ever.

    if you like, send me an email, and I will email you back a copy of the plugin.

    My email is whoo at the same domain.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘vi-postlogger’ is closed to new replies.