Apache.org servers were compromised as the apparent result of an exposure of an SSH key used to authenticate access to minotaur.apache.org (more commonly known as people.apache.org). During the compromise period, attackers were able to upload several CGI scripts and populate those scripts across multiple apache.org servers. According to Apache, the attacks began at 18:00 UTC on August 27th and were detected at 07:45 UTC on August 28th. Apache shutdown the compromised servers as a result (some of which are now back online) and continues to investigate the occurrence.

Details on the SSH key exposure and resulting attack were posted to the Apache Infrastructure Team blog. The report indicates the initially compromised server was hosted by a third-party. Considering a valid key was used to gain access, one has to suspect infection at that host via the all-too-ubiquitous data theft trojans being delivered via the Web.