Check your FTP logs to find uploads of Darkmailer scripts. Forward to us a copy of the FTP log records that you find. These logs will often be in /var/log/messages, but this depends on your system configuration.
Identify, kill and remove all Darkmailer scripts currently on the web server. NOTE: Many Darkmailer operators cause the Darkmailer scripts to be removed either after they're used, or even during their use. If you cannot find the scripts, this does NOT mean that the CBL is in error in this listing NOR does it mean that you are not presently vulnerable to anotherDarkmailer infection.
Change the passwords of every userid identified as performing FTP uploads, and warn these users that their passwords had been compromised by a keylogger infection. They need to run anti-virus software on their computers.
NEW WARNING: we're getting indications that once initially compromised by FTP, the attackers are uploading alternate file transfer programs that do not rely on the user's password. See below under "r57shell"
Implement port 25 blocking so that only your mail server software userid can make outbound port 25 connections from this machine.
