I recently decided to start capturing the break-in attempts submitted to my wp-login.php file. I am going to capture the top credentials used by these scripts/attackers and add them to the SecLists project.
Anyway, that requires that I be able to see the POST data for incoming requests, but unfortunately this was non-trivial to enable. Here’s how to do it.
Compile in the echo module for Nginx
You can get the header code here.
./configure --add-module=./echo-nginx-module-0.54 make make install
Capture the data
This is a modified version of the well-accepted combined log format, with the important addition of
$request_body added to the end.
log_format custom '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" "$request_body"';
Send to your log file
access_log /var/log/nginx/access.log custom;
Now you’ll be able to pull usernames and passwords for break-in attempts right out of your logs.
- Note that you’ll also get your own username and password. That should be obvious, but it’s worth mentioning in case you have many admins who might be sensitive to you capturing credentials.