I decided to try out www.openhosting.com which is a utility based virtual hosting company that uses completely open source software for their hosting. You get a redhat box to do with as you want in a virtual hosted environment.
I'll take a moment say all the good things about openhosting before I tell you my sad tale. They're friendly, have good and prompt support, their pricing is fair for the low end server range and it's easy to get up and running. Their reporting tools are fantastic too... open source software really wins sometimes.
Other times, however, it gets your box hacked. Today's sad story is a combination of VirtualLinux and VNC. You see, I know that VNC isn't a strong secure protocol, so the smart thing to do with it is to run it as -localhost only - ie: only connections from the local computer will work. That coupled with SSH tunneling make for a reasonably secure VNC server.
However, there was a trick to this server setup. It seems that VirtualLinux (VLinux) does not have a way to do virtualized loopback devices.. that means there's no LO device.. that means there's no localhost.. that means there's no 127.0.0.1 on your virtual machine -at all-.
Here comes the tragedy of the open source world. This is a major security oversight, most programs by default bind to localhost to -avoid being accessable form the internet-. This is a common security approach with most software - open source or not. However, in this case, when the localhost LO device was not found - the software - in this case VNC - bound to the default device on the computer.. the ethernet port! Which means VNC, with its weak security, was open to the entire world.
ANd boy oh boy it took the hackers not very long to figure this out and transfer 30gb's across my computer with a broken attempt at being a botnet for IRC and some bootlegged movies. They also installed a root kit that used cron to run a fake sh that ensured that they would keep their root access.
So as annoying as this was - they stupidly took down my smalltalk image just before I was demoing some software to a friend. That clued me in that something was wrong. Openhosting provides an externalized way of shutting down your virtual server and rebuilding it.
So while I feel like a total dolt for having my box hacked (years of debian - never been hacked. A few weeks of redhat in a virtualized server.. bam).. I also feel slightly vindicated that I figured out -how- I got hacked and why and also that it's one hell of a trap for newbies, given that localhost is pretty much relied on by any and all - even under windows.
So.. a word of warning to those out there considering a virtualized hosting solution - VLinux does not support localhost.