There is speculation (though no confirmation, everyone at Yahoo!, including Filo, have been keeping this hush-hush) that it Yahoo!'s webserver is built on an old version of Apache and in the process they might have neglected to patch one of the known holes from the older versions of Apache.
In any case, word has supposedly come from someone at Yahoo that this exploit does not effect other FreeBSD hosts. So whether its a case of a modified buggy version of Apache, or some poorly written CGI's (possibly remote administration ones?) remains to be seen.
thomas "devrandom" stromberg
sysadmin @ royal institute of technology.