Apache.org Compromised

Apache.org has been offline for 3 hours this morning, after one of their servers was compromised. Their sites were displaying the message:


The message goes on to say that the compromise is "not due to any software exploits in Apache itself", but was instead due to a compromised SSH key.

Update: Most of apache.org's sites have been back online this afternoon after they switched over to servers not compromised in the attack. Apache have released more information about the incident: an account used for backups was compromised on a back-end server. This server distributes content to Apache's public web servers, so the attackers used it to distribute scripts to the web servers; once the scripts were public, the attackers could execute them remotely, gaining access to the web servers as well. But these rogue processes were detected, so the servers were taken offline for investigation and clean-up.

Apache state that downloads were not affected, but have advised that users should always check the digital signatures on downloads from their site.

Apache.org suffered a server compromise after an SSH key was exposed in 2001.

A current performance graph for www.apache.org can be seen here.