Subscribe to the BlogA little earlier we (the Infrastructure team) published our incident report for last week's intrusion. You can read the full report here
Essentially what happened was; the server that hosted the apachecon.com website was compromised, and after a short while they discovered the SSH key that allowed them to gain shell access on people.apache.org. From here they placed files in the webroot of several websites. These were then rsync'd to the US and EU website mirrors.
As most of our sites used CGI to offer 'nearest mirror' downlaod service, we had to support the use of ExecCGI. This meant these scripts were executable. The CGI scripts essentially allowed the attacker to gain remote shells (in the context of the webserver) sending command via HTTP POST commands.
There are no remaining residual effects, and all services have been restored. The full report contains all the details.