Compromised Webserver

[duncan (sadc)]

My webserver has been compromised, but how, i cant understand. One of the emails being sent to people has this link below, when you click on the link, it will ask you to download an .exe file.

http:##www.mywebsite.com#downloads#?eid=0536587945789410

We are hosting a free email service, my guess is its a file that was uploaded onto the server but how the hacker managed to replace // with ## i dunno. Anyone here with an idea? Its running Fedora 8, LAMP.