g1smd, I get you, but the 404.shtml page is a custom 404 error page and returns a 404 error not found header if done right and checked with header fetcher, however, I take your point, /path-does-not-exist in this case maybe wiser, a raw true error page is best. The index.php thing, yes I explained that and said if you have index.php as the URL constructor. What I posted above works OK with postnuke / Zikula and other similar CMSes because they have index.php or modules.php always as the start of any URL fetched from the database.
Using the wildcard approach may not be the best solution, but I had to do something, thanks for your input, I'll give your solution a try myself.
This is what I like about these forums, with constructive arguments like this, we achieve results, better results!
Anyone else with more hacker busting fixes related to this?