Apache shut down all its machines as a precaution and switched over to an unaffected European mirror server. On its blog, the Apache Infrastructure TeamApache said it did not believe any end-users or downloads of enormously popular Web server software were affected. The blog also said that the attackers failed to escalate privileges.
Apache stressed that the attack was the result of the compromised SSH key, not an exploit of Apache software. It said it was conducting an audit of all affected machines.
On Thursday, the key was used to access an account used for automated backups for the ApacheCon website. The attackers created several files, including CGI scripts which they used to launch rogue processes this morning on Apache's production Web services.
There was no information on how the attackers were able to get the SSH key. In 2001, an attacker was able to compromise SSH on SourceForge and tunnel to the Apache site when an Apache developer logged into his SourceForge account.