When it came back online, it briefly showed this message:
The site looks normal now.
Why is this important? Because the Apache web server software is distributed from apache.org, and roughly one half of all the web servers on the planet run on Apache!
This a good reason to NOT leave SSH keys to your servers lying around and to properly practice separation of security concerns. A backup machine shouldn’t EVER have the necessary privileges to push live code to production!
The fact that this was caught by luck (i.e., the attackers didn’t install a rootkit that hid all activities from observation, and someone happened to be observing) is even more frightening given the reliance on Apache code across the internet.
More info now at blogs.apache.org.