Excerpt from this month's netcraft newsletter:
Note that the patch does not necessarily remove the root.exe facility
installed by both sadmind/IIS and Code Red II. root.exe allows anyone
on the internet to have commands on the machine executed with web
server privileges, and can typically be used to set up logging of
credit card information and other sensitive data on SSL servers. This
has created a new class of ecommerce site which has been correctly
patched for known server vulnerabilities, but have a live backdoor
facility enabling attackers to continue to remain in control of the
machine. Currently around 12% of SSL sites running Microsoft-IIS
tested for the first time are in this state.
If I have occasion to give my credit card # over a
"secure" server, I'll check first that it's not running
Micro$oft! 1 in 8 odds of a compromised e-commerce
server don't sound that good to me!
- Steve
