Firstly thanks to all who replied. The range in complexity of solution was an eye opener.
Ok so here is my experience, your milage may vary. Originally I went the route suggested by Craig Falconer, and set up a myriad of directories and symlinks to cater to the requests. The one thing I found about taking this route is that if you cater to the first file access request, the offending code on the remote machine goes looking for the next file in its list of exploits etc etc etc. So the complexity of the directories and symlinks kept growing every time I frequented my error_log. So I started playing around with my httpd.conf and reading more documentation, where I found it suggested that splitting the logs up for any piece of software was not reccomended. However my machine is hardly a commercial product! And I was already not logging access attempts for .jpg .gif and .png as per the httpd documentation. About this time I got an email from Hugh McColl suggesting a twist to prevent things making the error_log. (I still think the redirection should be to http://www.microsoft.com) Here is what I have ended up with, [snip httpd.conf] SetEnvIf Request_URI \cmd.exe|\root.exe|\default.ida not-common-logs SetEnvIf Request_URI \cmd.exe|\root.exe|\default.ida ms-worms SetEnvIf Request_URI \.gif|\.jpg|\.png not-common-logs SetEnvIf Remote_Addr "192\.168\.1\." not-common-logs CustomLog log_dir/access_log combined env=!not-common-logs CustomLog log_dir/ms_worms_log combined env=ms-worms <IfModule mod_alias.c> RedirectMatch (.*)\root.exe$ http://not.today RedirectMatch (.*)\cmd.exe$ http://not.today RedirectMatch (.*)\default.ida$ http://not.today </IfModule> [/snip] There is still one unresolved problem, every time a /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNN... gets requested it gets logged in access but not errors, so I am still playing to fix. Mark _________________________________________________________________ Join the world�s largest e-mail service with MSN Hotmail. http://www.hotmail.com
