Sites using Microsoft's web server should beware of the worm CodeRed, also called I-Worm.Bady. This worm exploits a flaw in the indexing service, sites that are not using this service should make sure it is disabled; sites that are using the service should use the Microsoft patch to fix the flaw: Microsoft Security Bulletin MS01-033
When active, the worm continually attempts to connect to other web servers and infect them. It may also modify the web pages on the server with a message, "HELLO! Welcome to http://www.worm.com! Hacked By Chinese!"
Your intrusion detection system should be able to easily identify the worm's attacked.