Wednesday, March 26, 2014

Completely disable the Windows Error Reporting (WER) from of Windows 7 & 8.x,10

A complete guide to disable the Windows Error Reporting (WER) from of Windows 7 & 8.x, 10  

Step 1


  • Click on Start > Control Panel > Action Center > Change Action Center Settings.
  • Click on the "Problem Reporting Settings".
  • Select "Never Check for Solutions".

  • Click on OK to validate
  • Additionally : You can change this for all users as well by Clicking "Change report setting for all users".

Step 2


  • Click on Start > Run > Type "services.msc"
  • In the window that opens (Services), look for the following entry in the the right pane:
    • "Windows Error Reporting"
  • Double-click on this entry and set the "Startup type" status as "Disabled".



  • Click on OK to validate.


 Step 3 Double check this registry setting - EXHAUSTIVE

Best to do a search for Windows Error Reporting, and you find the key stems
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting
Type "Regedit" and press "Enter."

Navigate to "Hkey_users\S-1-5-19\Software\Microsoft\Windows\Windows Error Reporting" and the above keys. 

Right-click "Disabled" and change the value from "0" to "1".

Next Key

 Navigate to "Hkey_users\S-1-5-19\Software\Microsoft\Windows\Windows Error
Reporting/Consent"
       Set to 1            
             Consent\DefaultConsent REG_DWORD
Possible values: 
          1 - Always ask (default), 2 - Parameters only, 3 - Parameters and safe data, 4 - All data                
Next Key 

 Navigate to "Hkey_users\S-1-5-19\Software\Microsoft\Windows\Windows Error Reporting/DefaultOverrideBehavior"
       Set to 1
          Consent\DefaultOverrideBehavior
REG_DWORD
Possible values:
0 - Vertical consent will override the default consent (default)
1 - Default consent will override the application-specific consent


Press the "Windows" key and "R" key simultaneously.

All Values Registry Values here ....

 Step 4  Disable Task Scheduler for Error Reporting Service



  • Open Task Scheduler and navigate to Task Scheduler (local) ->Microsoft->Windows->Windows Error Reporting




    Select on QueueReporting and Disable

  • Step 5 Permanently Disable Windows Error Reporting Service

To permanently Disable Windows Error Reporting Service, delete all keys under this folder LocalDumps.









    • Step 6 Clean these directories out


     C:\ProgramData\Microsoft\Windows\WER\ReportArchive

     C:\ProgramData\Microsoft\Windows\WER\ReportQueue

     C:\Windows\LiveKernelReports\WATCHDOG




    Posted by metadataconsulting (profile) at 12:27 PM 0 comments

    Tuesday, March 25, 2014

    500 Internal Server Error on GoDaddy.com - no Options All allowed

    Getting a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

    If you are using GoDaddy.com here's a possible reason why -



    You cannot use Options modifier in .htaccess files with GoDaddy.com.

    Related : Apache Deb Box .htaccess file set-up alternative

    If you are modifying your .htaccess file for security purposes heavily on an Apache Box.

    If you getting this 500 Internal Server Error on other web hosting companies or your own Apache Dev box.

    Here's a possible work around.

    I noticed today that I receive the following error message in each page view error_log get written:
    Options FollowSymLinks or SymLinksIfOwnerMatch is off which implies that RewriteRule directive is forbidden:
/var/www/vhosts/domain.Ca/httpdocs/index.pl, referer: http://www.domain.ca/

    Workaround

    The error messages is to get a grip on a previously used by me without any problems possibility of under / etc/apache2/mods-enabled/dir.conf to change the order as in about

       DirectoryIndex at_domains_index.html  index.html index.php index.xhtml 
                  index.htm index.shtml index.cfm
    Posted by metadataconsulting (profile) at 12:04 AM 0 comments

    Saturday, March 22, 2014

    Finding and Removing Orphaned SIDs and Removing Account Unknown S-1-5-21 from Windows 7 & 8, Server 2012

    Dreaded Unknown Accounts - Have you been hacked?

    Do you get accounts like this showing up for file permissions on c:\Windows\Temp:
    • Account Unknown (S-1-5-21-1796778222-299937555-3999959969-1026)
    These are known as dreaded S-1-5-21 because the can be created on the fly by programs using a technique called impersonation.

    According to Microsoft (http://msdn.microsoft.com/en-us/library/windows/desktop/aa379649) these are called SECURITY_NT_NON_UNIQUE S-1-5-21 SIDS are not unique.

    An attempt at an explaination is a follows of what SIDS are.

    security identifier (SID) is a unique value of variable length used to identify a trustee. Each account has a unique SID issued by an authority, such as a Windows domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group.
    Windows security uses SIDs in the following security elements:
    SIDs have following format:

    S-1-5-21-527237640-484763769-1060284398-500
    • SID => S-1-5-21
    • Unique Identifier => 527237640-484763769-1060284398
    • RID => 500
    1. The "S-1" part refers to this being a version 1 Security Identifier. 
    2. The "5" identifies the top-level identifier authority as SECURITY_NT_AUTHORITY. 
    3. All Windows SIDs begin with "S-1-5"
    4. The first sub-authority is "21", which is SECURITY_NT_NON_UNIQUE, and means  indicates a domain id will follow. This means that the value of the SID is made unique by the addition of the RID value (the last part of the decimal format). 
    5. The next three sub authorities "527237640-484763769-1060284398" are 32-bit random numbers to uniquely identify the computer. 
    6. The final part of the SID is the Relative Identifier (RID) of the object. The local Administrator user on all computers has the same well-known RID, "500".

      Note: If the local computer SID prefix values are not unique, then local user accounts on two different computers can have the same objectSID. For example, the local Administrator user, which always has the same well-known RID value of 500, will have the same objectSID value on two different computers if the local computer SID prefix is the same. Permissions granted to one of these users will apply to the other by mistake.the The RID uniquely identifies an account or group within a domain. 

     This more focused SIDS and RIDS list available at http://msdn.microsoft.com/en-us/library/cc980032.aspx, and list SIDs in a table format

    ADMINISTRATOR
    S-1-5-21--500
    A user account for the system administrator. By default, it is the only user account that is given full control over the system.

    This gives a list of well known SIDS and RIDS, and commonly quoted on other sites
    http://msdn.microsoft.com/en-us/library/windows/desktop/aa379649(v=vs.85).aspx

     Still, I am stuck for my unknown soldier, the value of 1026 for the RID I cannot find.
    • Account Unknown (S-1-5-21-1796778222-299937555-3999959969-1026)

    Determine some quick SIDs on your computer from the Windows CMD line; 

    whoami /user - lists your logged-in username SID 
whoami /groups - list user group permission as SIDs, see image below

    But this is not giving me a complete comprehensive list of SIDS. 

    But know I suspect 1026 is part of IIS installed on my computer, given natural progression of numbers, but it is not listed.
    If you suspect a you can try to do a reverse look-up of the SID.

    You can do the reverse, how     to determine Which Account a SID Belongs to by using a Powershell elevated script from http://technet.microsoft.com/en-us/library/ff730940.aspx.

    PS C:\>$objSID = New-Object System.Security.Principal.SecurityIdentifier `
    ("S-1-5-21-1796778222-299937555-3999959969-1026")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
echo $objUser.Value
    returned Some or all identity references could not be translated 
    or 
    PS C:\> [wmi]"win32_SID.SID='S-1-5-21-1796778222-299937555-3999959969-1026'"
__GENUS              : 2
__CLASS              : Win32_SID
__SUPERCLASS         : 
__DYNASTY            : Win32_SID
__RELPATH            : Win32_SID.SID="S-1-5-21-1796778222-299937555-3999959969-1026"
__PROPERTY_COUNT     : 5
__DERIVATION         : {}
__SERVER             : HOGWARTS
__NAMESPACE          : root\cimv2
__PATH               : \\THUNDERBIRD-W7U\root\cimv2:Win32_SID.SID="S-1-5-21-1796778222-299937555-3999959969-1026"
AccountName          : 
BinaryRepresentation : {1, 5, 0, 0...}
ReferencedDomainName : 
SID                  : S-1-5-21-1796778222-299937555-3999959969-1026
SidLength            : 28
PSComputerName       : HOGWARTS
    

    Still the unanswered question remains, I cannot find this account but it exist.
    • Account Unknown (S-1-5-21-1796778222-299937555-3999959969-1026)
    Well what about the brute force approach enumerating all the SIDs on a computer?

    Helge Klein has tried to solve this in the following problem statement:
    "Due to a lack of visibility permission cleanup is performed far less frequently than it could, and probably should. As a result, ghost ACEs (permissions from deleted accounts) linger in the dark corners of the file system, threatening the unsuspecting admin with the horrors of unresolvable SIDs." http://helgeklein.com/blog/2012/07/finding-removing-orphaned-sids-in-file-permissions-or-busting-the-ghosts-built-into-windows-7/
    He create setACL, a tool to get identify, find SIDS relative to all programs and deleted accounts on your computer. 

    Running the the above script produced following output.

    So at least S-1-15-2-1 in above example I know is a legitimate account and not been hacked.

    Still I could not identify this account     Account Unknown (S-1-5-21-1796778222-299937555-3999959969-1026) directly - but I did find 1026!!!

     For the record this is a list of common SIDs I found using above setACL command.
    C:\Program Files\Common Files\Microsoft Shared\VGX
   DACL(protected+auto_inherited):
   S-1-15-2-1   read_execute   allow   no_inheritance
   S-1-15-2-1   read_execute   allow   container_inherit+object_inherit+inherit_only
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\Data\MSSQL10.SHAREPOINT\MSSQL\Template Data
   DACL(not_protected+auto_inherited):
   S-1-5-21-1111111111-222222222-3333333333-1019   full   allow   container_inherit+object_inherit
C:\Program Files\Microsoft SQL Server\100\DTS\Binn
   DACL(pseudo_protected+auto_inherited):
   S-1-5-21-1111111111-222222222-3333333333-1027   read_execute   allow   container_inherit+object_inherit
C:\Program Files\Microsoft SQL Server\90\Shared
   DACL(not_protected+auto_inherited):
   S-1-5-21-1111111111-222222222-3333333333-1028   read_execute   allow   container_inherit+object_inherit
C:\Program Files\Microsoft SQL Server\MSAS10_50.SQLDEVLOPER\OLAP\Config
   DACL(protected+auto_inherited):
   S-1-5-21-1111111111-222222222-3333333333-1028   full   allow   container_inherit+object_inherit
C:\Program Files\Microsoft SQL Server\MSAS10_50.SQLDEVLOPER\OLAP\Data
   DACL(protected+auto_inherited):
   S-1-5-21-1111111111-222222222-3333333333-1028   full   allow   container_inherit+object_inherit
C:\Program Files\Microsoft SQL Server\MSAS10_50.SQLDEVLOPER\OLAP\Log
   DACL(protected+auto_inherited):
   S-1-5-21-1111111111-222222222-3333333333-1028   full   allow   container_inherit+object_inherit
C:\Program Files\Microsoft SQL Server\MSRS10_50.SQLDEVLOPER\Reporting Services\LogFiles
   DACL(not_protected+auto_inherited):
   S-1-5-21-1111111111-222222222-3333333333-1026   write+read+DELETE   allow   container_inherit+object_inherit
C:\Program Files\Microsoft SQL Server\MSRS10_50.SQLDEVLOPER\Reporting Services\RSTempFiles
   DACL(not_protected+auto_inherited):
   S-1-5-21-1111111111-222222222-3333333333-1026   read_execute+write   allow   container_inherit+object_inherit
C:\Program Files\Microsoft SQL Server\MSRS10_50.SQLEXPRESS\Reporting Services\LogFiles
   DACL(not_protected+auto_inherited):
   S-1-5-21-1111111111-222222222-3333333333-1011   write+read+DELETE   allow   container_inherit+object_inherit
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL
   DACL(protected+auto_inherited):
   S-1-5-21-1111111111-222222222-3333333333-1006   read_execute   allow   container_inherit+object_inherit
C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLDEVLOPER\MSSQL
   DACL(protected+auto_inherited):
   S-1-5-21-1111111111-222222222-3333333333-1029   read_execute   allow   container_inherit+object_inherit
C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLDEVLOPER\MSSQL\DATA
   DACL(protected+auto_inherited):
   S-1-5-21-1111111111-222222222-3333333333-1029   full   allow   container_inherit+object_inherit
C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLDEVLOPER\MSSQL\FTData
   DACL(protected+auto_inherited):
   S-1-5-21-1111111111-222222222-3333333333-1029   full   allow   container_inherit+object_inherit
C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLDEVLOPER\MSSQL\JOBS
   DACL(protected+auto_inherited):
   S-1-5-21-1111111111-222222222-3333333333-1030   full   allow   container_inherit+object_inherit
C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLDEVLOPER\MSSQL\Log
   DACL(protected+auto_inherited):
   S-1-5-21-1111111111-222222222-3333333333-1029   full   allow   container_inherit+object_inherit
   S-1-5-21-1111111111-222222222-3333333333-1030   read_execute+write+FILE_DELETE_CHILD   allow   no_inheritance
   S-1-5-21-1111111111-222222222-3333333333-1030   read_execute+write+FILE_DELETE_CHILD   allow   container_inherit+object_inherit+inherit_only
   S-1-5-80-1111111111-222222222-3333333333-4444444444-555555555   FILE_LIST_DIRECTORY+FILE_ADD_FILE   allow   no_inheritance
C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL
   DACL(protected+auto_inherited):
   S-1-5-21-1111111111-222222222-3333333333-1014   read_execute   allow   container_inherit+object_inherit
C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\DATA
   DACL(protected+auto_inherited):
   S-1-5-21-1111111111-222222222-3333333333-1014   full   allow   container_inherit+object_inherit
C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\FTData
   DACL(protected+auto_inherited):
   S-1-5-21-1111111111-222222222-3333333333-1014   full   allow   container_inherit+object_inherit
C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\JOBS
   DACL(protected+auto_inherited):
   S-1-5-21-1111111111-222222222-3333333333-1015   full   allow   container_inherit+object_inherit
C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Log
   DACL(protected+auto_inherited):
   S-1-5-21-1111111111-222222222-3333333333-1014   full   allow   container_inherit+object_inherit
   S-1-5-21-1111111111-222222222-3333333333-1015   read_execute+write+FILE_DELETE_CHILD   allow   no_inheritance
   S-1-5-21-1111111111-222222222-3333333333-1015   read_execute+write+FILE_DELETE_CHILD   allow   container_inherit+object_inherit+inherit_only
   S-1-5-80-1111111111-222222222-3333333333-4444444444-555555555   FILE_LIST_DIRECTORY+FILE_ADD_FILE   allow   no_inheritance
C:\Program Files (x86)\Common Files\microsoft shared\VGX
   DACL(protected+auto_inherited):
   S-1-15-2-1   read_execute   allow   no_inheritance
   S-1-15-2-1   read_execute   allow   container_inherit+object_inherit+inherit_only
C:\Program Files (x86)\Microsoft SQL Server\90\Shared
   DACL(not_protected+auto_inherited):
   S-1-5-21-1111111111-222222222-3333333333-1005   read_execute   allow   container_inherit+object_inherit
   S-1-5-21-1111111111-222222222-3333333333-1013   read_execute   allow   container_inherit+object_inherit
C:\Program Files (x86)\Microsoft SQL Server\90\Shared\ASConfig
   DACL(not_protected+auto_inherited):
   S-1-5-21-1111111111-222222222-3333333333-1013   FILE_ADD_FILE+FILE_ADD_SUBDIRECTORY+READ_CONTROL   allow   container_inherit+object_inherit+no_propagate_inherit
   S-1-5-21-1111111111-222222222-3333333333-1028   full   allow   container_inherit+object_inherit
C:\ProgramData\Microsoft\eHome\SharedSBE
   DACL(not_protected+auto_inherited):
   S-1-5-80-1111111111-222222222-3333333333-4444444444-555555555   change+FILE_DELETE_CHILD   allow   no_inheritance
   S-1-5-80-1111111111-222222222-3333333333-4444444444-555555555   change+FILE_DELETE_CHILD   allow   container_inherit+object_inherit+inherit_only
C:\ProgramData\Microsoft\Microsoft Antimalware\Network Inspection System
  DACL(pseudo_protected):
  S-1-5-80-1111111111-222222222-3333333333-4444444444-555555555   full   allow   container_inherit+object_inherit
C:\ProgramData\Microsoft\Network\Connections
   DACL(protected+auto_inherited):
   S-1-5-80-31111111111-222222222-3333333333-164347954-1900376235   full   allow   no_inheritance
   S-1-5-80-31111111111-222222222-3333333333-164347954-1900376235   full   allow   container_inherit+object_inherit+inherit_only
C:\Users\Public\Recorded TV
   DACL(not_protected+auto_inherited):
   S-1-5-80-1111111111-222222222-3333333333-1563395363-459793767   change+FILE_DELETE_CHILD   allow   no_inheritance
   S-1-5-80-1111111111-222222222-3333333333-1563395363-459793767   change+FILE_DELETE_CHILD   allow   container_inherit+object_inherit+inherit_only
C:\Windows\Downloaded Program Files
   DACL(protected+auto_inherited):
   S-1-15-2-1   read_execute   allow   no_inheritance
   S-1-15-2-1   read_execute   allow   container_inherit+object_inherit+inherit_only
C:\Windows\Globalization\ELS\HyphenationDictionaries
   DACL(protected+auto_inherited):
   S-1-15-2-1   read_execute   allow   no_inheritance
   S-1-15-2-1   read_execute   allow   container_inherit+object_inherit+inherit_only
C:\Windows\Globalization\ELS\SpellDictionaries
   DACL(protected+auto_inherited):
   S-1-15-2-1   read_execute   allow   no_inheritance
   S-1-15-2-1   read_execute   allow   container_inherit+object_inherit+inherit_only
C:\Windows\Offline Web Pages
   DACL(protected+auto_inherited):
   S-1-15-2-1   read_execute   allow   no_inheritance
   S-1-15-2-1   read_execute   allow   container_inherit+object_inherit+inherit_only
C:\Windows\Temp
   DACL(protected+auto_inherited):
   S-1-5-21-1111111111-222222222-3333333333-1011   read_execute+FILE_ADD_FILE+FILE_ADD_SUBDIRECTORY+DELETE   allow   container_inherit+object_inherit
   S-1-5-21-1111111111-222222222-3333333333-1026   read_execute+FILE_ADD_FILE+FILE_ADD_SUBDIRECTORY+DELETE   allow   container_inherit+object_inherit
SetACL finished successfully.
    

    

    So the in the above output there are three records ending with 1026. and the last one is revealing since it it begins with same SID=S-1-5-21 and RID=1026 as in our unknown account. But the 3 sub authorities numbers 
    

    
1111111111-222222222-3333333333 is supposed to be random and this is not! 
    
LOOKS LIKE THIS IS HACKED ACCOUNT - THIS IS NOT GOOD!
    
At least this unknown account looks normal;   
    
Account Unknown (S-1-5-21-1796778222-299937555-3999959969-1026) 
    

    
and we have a match kinda. At least we can at a least get permissions of this owner and some programs that use it. 
    

    

    

    

    
Account Unknown w/
DACL (protected+auto_inherited)

S-1-5-21-<>-1026
    

    
File Permission 
read_execute+FILE_ADD_FILE+FILE_ADD_SUBDIRECTORY+DELETE   
allow container_inherit+object_inherit
    

    

    

    

    

    

    

    
Let's now check these suspect SIDS
    

    


Get-Acl "C:\ProgramData\Microsoft\Microsoft Antimalware\Network Inspection System" | Format-List
    

    Path   : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\Microsoft\Microsoft Antimalware\Network Inspection System
Owner  : NT AUTHORITY\SYSTEM
Group  : NT AUTHORITY\SYSTEM
Access : S-1-5-80-1469974279-1943423511-1205514815-3290109594-1875557445 Allow  FullControl
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
Audit  : 
Sddl   : O:SYG:SYD:(A;OICI;FA;;;S-1-5-80-1467924279-1943423510-1205514805-3190109594-1875307435)(A;OICIID;FA;;;SY)(A;OIC
         IID;FA;;;BA)
    


    

    
Well I did not find 1111111111-222222222-3333333333.
    

    
How to reset ACL for a directory
    

    


How to add back inheritance to ACL for that directory.
    

    



    

    
Well turns out these did now work either to reset some files, so back to another method.
    

    
Tried to use free resource toolkit tool SIDwalker and Showaccs but did not produce any results on Windows 7.
    

    
Ultimately, I headed back to SysInternals and found a tool called AccessEnum v1.32

    AccessEnum     gives you a full view of your file system and Registry security settings in seconds, making it the ideal tool for helping you for security holes and lock down permissions where necessary. Voila !
    

    
But the results of that are in my next post, Using AccessEnum to hunt down unkown file SIDs

    

    

    

    

    

    
Feb 1, 2017 Update
    

    
Well known SIDS
    
https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
    

    
.HIDDEN REGISTRY KEYS - SECURITY & SAM
    
Some of the security and core system related keys are hidden from user even when part of an administrator group cannot see these special keys.
    

    Here are some of the such hidden registry keys
    

    HKEY_LOCAL_MACHINE\SECURITY
    
HKEY_LOCAL_MACHINE\SAM
    


    SECURITY registry key stores all the system policy and LSA secrets related information.  SAM registry key has details for user accounts along with LM/NTLM password hashes for each user.
    

    There are many ways we can view these hidden registry keys. We can use psexec.exe tool (part of pstools package from sysinternals) to launch the regedit.exe as system account as shown below.
    
psexec.exe -s -i regedit.exe
    

    
HKEY_LOCAL_MACHINE\SECURITY - now you can explore SIDs ! 
    

    

    
You can delete SIDS using the following technique;
    

    
https://helgeklein.com/blog/2012/07/finding-removing-orphaned-sids-in-file-permissions-or-busting-the-ghosts-built-into-windows-7/
    

    

    

    

    

    

    

    

    

    

    
Posted by
metadataconsulting (profile)


at
11:10 PM


4
comments









    


    

    

    


    

    


    

    

    

    

          
    
        

          
    
        

    Wednesday, March 19, 2014
    

          
    
        

    

    


    
Wordpress News/Blog contains funny characters, your site has been hacked

    

    

    

    

    

    

    
If you are finding weird characters in the Wordpress News Blog roll, then your has been hacked. An example is; 
    

    

    
I+ACYAIw-8217+ADs-m excited to announce that
the first beta of WordPress 3.9 is now available for testing. WordPress 3.9 is
due out next month +ACYAIw-8212+ADs but in order to hit that goal, we need your
help testing all of the goodies we+ACYAIw-8217+ADs-ve added: We updated
TinyMCE, the software powering the visual editor, to the latest version.
+AFsAJgAj-8230+ADsAXQ- […]
    

    

    
or you see those characters in the title tag of your site, hackers have gotten into your site and/or guessed your password. See more information on latest attack here - http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html
    

    

    
There are many, resolutions but even after this http://codex.wordpress.org/FAQ_My_site_was_hacked and many more recommendation using Google search about this. 
    

    
You may see these I+ACYAIw-8217+ADs-m still appear. An analysis of several sites, indicates that this has been caused by a change in a database setting. These strings are stored in your MySQL database and once corrupted remain there. 
    

    
This is because a change to using UTF-7 instead of UTF-8. See below for changes back to UTF-8.You may have to convert old database fields into the new characters set, see below for a solution. 
    

    

    

    
But for WordPress New RSS Blog entries from the mother-ship,  these entries which are stored in WordPress as transients. You can just blow of them off, and delete them.
    

    

    

    
Here is an excellent plug-in to just that. Delete all transients 
    

    
http://wordpress.org/plugins/delete-expired-transients/

    Actually you can create a schedule task to do this periodically. 
    



    

    
To be thorough, you may want to check these settings.
    

    

    
1. Check the DB_CHARSET constant in wp-config.php, it may read utf-7 change to utf-8.
    

    

    
1
    

    
2
    
3
    

    

    
/** Database Charset to use in creating database tables. */
    

    
define('DB_CHARSET', 'utf8'); 
define('DB_COLLATE', '');


    

    

    

    

    

    

    

    
2. In the WordPress admin menu, Change “Settings->Reading->Encoding for Pages and Feeds” from UTF-8 from UTF-7
    

    Following the above bad advice might appear to ‘fix’ the appearance of some languages, but others will still display incorrectly. Furthermore, these changes will cause your text to be encoded incorrectly, so that when you do implement the correct fix, your foreign-language pages will have bad character mappings and be filled with incorrect characters. You will then have to correct or re-enter the text from scratch.
    
If you found unusual characters in your database, try this...
    

    
To fix this problem, you need to change the default character set/collation of your WordPress site’s MySQL database to UTF-8/utf8_general_ci and then convert all the current table data.
    
The traditional way to do this is to run various “ALTER DATABASE” and “ALTER TABLE” SQL queries within phpMyAdmin or via the command-line mysql client, and you can find some great instructions here:
    
http://en.gentoo-wiki.com/wiki/Convert_latin1_to_UTF-8_in_MySQL
    

    Unfortunately, this procedure is tedious.
    

    There is however a fantastic plugin named Convert WP Database to UTF-8. This plugin adds a sub-menu page named “UTF-8 DB Converter” to the Plugins Menu. Simple click on “Start converting” and the plugin will automatically execute the required SQL queries to alter the character set and collation of all your existing WordPress tables.
    

    
You only need to do it once per website, and the problem is fixed for good. You can then uninstall the plugin.
    
Although this plugin has always run without a hitch for me, it is proper practice to make a backup of your WordPress database before attempting this procedure, just in case something goes wrong. Most web hosts provide wizards that let you easily backup your MySQL databases, but you can do this using phpMyAdmin or a WordPress plugin like
    

    
Also, you should place your website in maintenance mode using a plugin like WP Maintenance Mode to stop users accessing your website while the character set conversion is in progress. The time taken will vary depending on how big your database is, but for me, the conversion has always been completed in less than 1 minute.
    

    
Additional reading
    
Technical 
    
http://joemaller.com/1328/fixing-mixed-encoding-mysql-dumpfiles-with-wordpress/
    
Easy to read
    http://digwp.com/2011/07/clean-up-weird-characters-in-database/
    

    

    

    

    

    

    

    

    
Posted by
metadataconsulting (profile)


at
8:32 PM


1 comments









    


    

    

    


    

    


    

    

    

    

        
    
      

    


    

    

    
Subscribe to:
Posts (Atom)