I've pluginized the code that logs all $POST variables sent to your WordPress blogs. This ought to make it easier for people to see what is actually going on on their sites.
Why would you use this?
In a nutshell, Apache does not provide enough information for tracking down the source of exploits. A typical Apache log entry only shows the file name, the time it was accessed and some user-agent info.
Unfortunately, if a site is being actively exploited, this isn't enough information.
postlogger will capture the actual variables sent to the file:
comment = SO ON AND SO FORTH
submit = Submit Comment
comment_post_ID = 1
_wp_unfiltered_html_comment = e09c655751
April 16, 2008, 5:30 pm
Here is an even more illustrative example:
cookie = wordpressuser_5ef523d2e8a7d3002049a4b753d004ba=admin%27 and IF(ORD(SUBSTRING(user_pass,25,1))>48,(select 1 from wp_options),0)/*; wordpresspass_5ef523d2e8a7d3002049a4b753d004ba%3dx
That is a real life exploit for an older version of WordPress - it was captured using my code. The Apache log entry for this shows nothing more than the filename, the time. and the U-A.
Ive gone over the installation instructions in the permalink, and in a readme.txt that is included in the zip file. Please pay close attention to #1 and #2
Download and permalink: