on my webserver, and im sure many of you who also run one see this all the time, but the majority of my access log is filled with attempted exploits from computers compromised by some virus (NIMBDA?) and anyway i know this is harmless to an apache/linux webserver, but its annoying, anyway, on slashdot i saw this:
RedirectMatch permanent (.*)c+dir http://127.0.0.1/scripts/..%255c..%255cwinnt/syste m32/cmd.exe?/c+rundll32.exe+shell32.dll,SHExitWind owsEx%201

to put in the .htaccess file, someone with more knowledge of .htaccess than me, please what does this do? it looks like it would try to execute the command on a windows machine to shut down the computer(exit windows) how does this work? and is it safe to include in my .htaccess file? thanks.

That does appear to be what it does...
While some people think it's only fair, it's of dubious legality since you're using the same exploit against them - It's better to just continue letting them fail, knowing that you won't be affected other than the relatively minor bandwidth consumption. If you redirect them, why not redirect them to a bandwidth-sucker of a web page, such as www.microsoft.com

By the way, what it's doing is redirecting them to the exploit on their local machine, then calling the rundll32 executable to use a function in the specified DLL file that's called when the box logs itself out or reboots. I don't know exactly what happens when you try to log out a service, though - I wonder if it even works. Plus this will only work on an NT/2000 machine that has %systemroot% at C:\WINNT (although it does by default).

i see. thanks for the responce. using that probably wouldnt be nice also to the person whos computer is infected and dosnt even know it. maybe even better would be redirecting them to a virus scanning software page. anyway, thanks livinfree

Well, they wouldn't actually see any page you redirected them to... It's not a foreground process. Redirecting them to microsoft.com would, say, distribute bandwidth consumption in a slightly more fair way

We often configure our web servers to redirect web-based viruses back to the origin, defining 'origin' as:

hahahaha is all i can say to that! thanks for the info.