RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule ^.*$ [F]

You SHOULD be able to change it to:

RewriteCond %{HTTP_REFERER} ^-?$
RewriteRule ^.*$ [F]

as well.

"GET/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dirHTTP/1.0"
"GET/scripts/..%252f../winnt/system32/cmd.exe?/c+dirHTTP/1.0"
"GET /scripts/root.exe?/c+dir HTTP/1.0"
"GET /MSADC/root.exe?/c+dir HTTP/1.0"
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0"
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0"

If they are, then you are being hit by a server infected with the NIMDA virus looking for another server to infect. If you're not hosted on NT/IIS then you don't need to worry, but it is a waste of bandwidth and makes the logs a pain to go through.

It looks like a person running a bot at me. I dug into my logs and found this order of things.

IP address XX.XX.XX.XX does a search on google.com.pl on a keyword (I see the refer in the logs). They are using IE6 , WIN NT and they view a few pages like a user would.

Then a minute or so later the same IP sends a bot that grabs up pages "244 today repeating the same pages" while that is happening it is also making a bad request for "http://mydomain.com/a" 8600 of that bad request today. All that happens in less then 5 minutes.

I was visted twice in January and today was the first for February.

Whats funny is the keywords they are used. One is a two word phrase that I sit at number 4 out of 500,000. But the other is a one word search that I sit at 470 out of 2 million. They clicked that link at 470.

But in total today 8900 requests to the server in less then 5 minutes is a bit much.

Any thoughts ?

Thanks