You can issue a page similar to the admin panel.

robots scan, as a rule, so no one will appreciate all the fun. Only if you need to keep a balance of traffic, and there are a lot of bots, then you can give a thread of a video file.

- a redirect to fsb.ru (an ancient and boring joke),
- a pseudo-admin panel that can be accessed with any password, but which, due to pseudo script errors (with the issuance of incorrect paths), will not work
- on the 404th - security articles / jokes, etc.
- give the page with exploits, if suddenly someone manually searches for the link.
- give instead of the 404th " 418 I'm a teapot "
, etc. although for me, why not just give "204 No Content" if nginx or 403/404/410 ...

It's far from a fact that these are kiddies, the usual automatic scanners work.
100,500 sites are scanned at once, where there are no 404 sites, they are entered into the database.
Then this list is already processed, at least by autorouters, at least by something else.
Personally, it seems to me that 99% of all /admin /adm /login /phpadmin, etc. URLs with 404 errors are called by bots.

Hang something like this

If it's a scriptkiddie I'd scare them. Most likely they are sitting without a proxy, I would give them their address and city, and also write a terrible thing: Your contact details have been transferred to the computer crime department. I think that the students would be scared)

Nothing. What for? For fun?

Ask for contact details and covertly submit the form to the FSB website.

Somewhere copy the html code of some fancy enterprise web interface, a la microsoft backoffice.

Brilliant Drupal writes that access is denied. Brilliant - because it's simple.

habrahabr.ru/admin/