The Apache.org website suffered an intrusion over the weekend that resulted in the site being taken down.
The attack came via a third-party that was hosting the provider's servers used for hosting the ApacheCon site, according to a blog post by the Apache infrastructure team.
From that server the intruders were able to gain access to a backup server, on which they were able to create CGI scripts that were then automatically rsynced out to Apache's production web servers. Once on the production servers, the scripts were executed, spawning rogue processes which drew the infrastructure team's attention.
To the best of the team's knowledge, there has been no evidence that any downloads were affected and the intruders were unable to escalate their privileges.
Apache Software Foundation member, J Aaron Farr, said on reddit that the ApacheCon server would be rebuilt from scratch and that the team was still looking into how it was compromised.
There's no need to run to the hills screaming and yelling in fear that the next iteration of Apache's web server could have "bad stuff" in it. This is an instance of defacing which only affected the Apache.org website itself. Farr said that Apache's svn servers were fine so the code is clean.
This is a good lesson on the potential downside of using SSH keys, which enable password-less log-ins for you, your scripts and anyone else that can get into your account.
While I am far from knowledgeable on Apache's infrastructure, it does seem a little concerning that the compromised backup server was the same server used to seed the production web servers.
Apache has said that it will come out with a full explanation once it has the whole story, where I hope it will announce the separation of the backup and seeding functions of the compromised backup server.