If the attacker HAS COMPROMISED YOUR WEB SERVER - It's more that likely further code uploading and execution can compromise the VirtualBox & Host OS.
I assume code uploading and execution can compromise anything running in RAM as well. The nice thing would be that it all goes away with a power down. I have to bring myself up the curve on quite a few things, but I still think the idea has some merit.
Vesp, have to tried to go through that hidden services for newbie doc? I started here:
hxxp://tor2web.org/config
I emailed them asking about some of the missing very important files. I actually got a response from Aaron Swartz.
he only gives out tor2web.org.crt & tor2web.org.key when they trust people to run an official site. Not entirely sure what that means, but I assume once folks start getting connected/playing around they have some way of testing your setup. Who knows.
He suggested in the mean time using self-signed certificates from here:
hxxp://www.akadia.com/services/ssh_test_certificate.html
I never hosted anything outside of windows server, so I was at square one with apache yesterday. I am going to dive into this today:
hxxps://www.torproject.org/docs/tor-hidden-service.html.en