The first step would be to either define "/404.shtml" by putting up an SSI-enabled error page at that URL, or to go into the control panel (most likely the thing that is defining it now) and modify the "error page" definition to point to your actual 404 error page's filepath.

In either case, the 404 error page should be extremely small -- no external dependencies (e.g images, css, or other included objects), and only enough headers to allow it to validate.

An alternative is to serve either a 403-Forbidden response (again with a tiny error page), or to serve a blank page and a 200-OK response. If you serve a 404 or 403 response, then you have the option to force a "Connection: Close" response header by using mod_headers in a <Files> or <FilesMatch> container.

Because it is impossible to know how the 'bot is coded, you may have to try all of the 404/403/200 methods, to see if any one of them works best, as determined by whether the 'bot keeps coming back, and if so, how much bandwidth it consumes.

Depending on the predictability of the requesting IP address range, you may wish to ask the host if they have any firewall facilities which you (or they) could use to just block these requests before they even reach the server -- drop them directly into a "black hole," in other words.

So those comments pertain to handling. As for detection, does the 'bot always come with the same user-agent? If so, what is it? (it's not visible in server error log entries, as above). You could block by user-agent name in addition to the IP address range if the 'bot is identifying itself...

Finally, insist that the host investigate and tell you how the site got hacked in the first place. If they cannot or will not do this, then it may be time to change hosts. It is important to find the 'entry point' that allowed the site to be hacked and to close it. The hack may not have been on the server, though; the possibility that someone who has access to the server may have been infected by a keylogger should not be overlooked. Regardless, it's time to change all usernames and passwords for FTP and shell access.

Jim

If you 403 deny the access make sure your site can serve the error message. If you deny everything then the error page is also denied and the errors cascade.

I have tried using the rewrite rules with no effect.

If you use these rules, you'll still get entries in the log for each access along with the resultant HTTP status returned. The aim is to serve the most minimal page (a few hundred bytes at most) for each of those errors.

Thank you gents for your speedy replies, The site was compromised by the client having a very weak password on his cpanel (it was rodney) the original host were not very helpful so I have changed hosts.
It is not so much that the bot comes but all the infected computers trying to reach their master, in 2 days it managed to infect/control thousands of computers! This is typical, note the time line for the extent of the infection :-
Host: 81.206.70.9


*


/zeus/config.bin
Http Code: 200 Date: Apr 23 17:18:33 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB6.4)





*


/zeus/gate.php
Http Code: 200 Date: Apr 23 17:18:56 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB6.4)




Host: 83.82.19.147


*


/zeus/ip.php
Http Code: 200 Date: Apr 23 17:18:04 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; InfoPath.2)





*


/zeus/config.bin
Http Code: 200 Date: Apr 23 17:18:32 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; InfoPath.2)





*


/zeus/gate.php
Http Code: 200 Date: Apr 23 17:18:55 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; InfoPath.2)




Host: 77.251.185.20


*


/zeus/config.bin
Http Code: 200 Date: Apr 23 17:18:31 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)





*


/zeus/ip.php
Http Code: 200 Date: Apr 23 17:18:32 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)





*


/zeus/gate.php
Http Code: 200 Date: Apr 23 17:18:55 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)


I have now created a directory called zeus and blank files config.bin, ip.php and gate.php this seems to have greatly reduced the bandwidth being used. Ideally I would like to stop it but I am far from sure how to, I can not ask the host to ban IP's.
Thanks for all the suggestions so far.Cheers G W Styles.

A well known UK TV show from the 1990s featured the oft used line:

You plonker, Rodney

Seems appropriate in this case. :)

That was my clients favourite show.

Don't gloat. Doing so turns a dry technical error message into a "challenge" and can result in worse problems than before.

Also, don't provide any useful information, as in "Invalid UA string, you twit." Knowledge is power; Don't empower enemies.

And be aware that there is always a non-zero probability that the error message will be served to an innocent *customer* of the site because of some other unrelated error. As a professional, never create a risk of offending your (or your clients') sites' customers.

In some cases, I serve (only) a string like "~." that looks like a comms hardware failure, to give me a 'visual' in the server logs indicating which of several error 'pages' was served (based on the distinct byte counts). And to anyone reviewing their bot's recent harvest, it looks like my server is broken, so maybe they'll take my site off their list. Unlikely, but at least I'm only wasting a very few bytes on them.

Jim

Thank you Jim that seems like good advice.