another legend: when IIS expoloits were still simple, someone published a web server configuration that would recognize a common exploit and respond by re-exploiting the implied vulnerability on the infected machine to shut it down.
I have seen some suggested Apache configuration lines which fire only when one of the CodeRed (or other M$loth exploit) URL's is accessed and does a redirect to 127.0.0.1. Boom!
Actually, I think I am running with that right now... ;~0
John
