Apache does come with OS X and there's a possibility of it being activated as I did run OS X Server a few years ago. A compromise is a bit unlikely but I will check however I can. Worst case I ask my ISP to drop incoming port 80 at the exchange point. I liked hosting my site at home (nginx) but did recently stop. I suppose Apache sprung at the first chance to listen on *:80 now that nginx is gone.