It seems the Web sites infected so far have not been compromised in themselves, but rather it's the servers hosting them. Reading ScanSafe's STAT blog, I was interested to see that there is some question as to how the hosting servers were being manipulated. The belief is that a kernel-based root-kit is used to keep the compromised systems open to the attackers after the initial infection. ScanSafe noted that a few hours after making configuration changes to one of the infected servers, those changes mysteriously reversed themselves.
The infected groups of servers are running various different flavours of Linux, hosting many different versions of Apache. This means it's unlikely that the root vulnerability is in Apache. The servers are not all owned by one hosting company so direct infection via physical interference is unlikely. One piece of software which is common to all of the infected hosts is cPanel—ScanSafe think this is significant, but not necessarily the root source of compromise.
Reading through a hefty comments section on this subject over on The Register, I found the point of weakness is still a mystery. Some people are blaming out of date software and poor system administration while others are pointing towards something more serious than a few easy to 'brute force' passwords.
I'll certainly be interested to find out how these servers were compromised. It could be no more than a case of a few hacked servers; on the other hand, if the root compromise was the result of an unknown vulnerability in multiple versions of PHP or Apache, then this could be the tip of an epidemic!