I work for a CLEC (phone company) that provides T1s data and voice. Most of the time we provide a router and manage it ourselves. You would not believe how many admins/IT departments don't know that their windows boxes have been compromised. Someone says their internet is slow, a ticket comes to my group, we look at the traffic going across the router and sure enough, some box inside the network is scanning subnets on a specific TCP or UDP port.

we've got the webserver worms scanning on port 80...
then there's a nice SQL hack out there that scans on 1433
there's a netbios hack which scans 139
and there are a few other obscure hacks for some other servces which aren't used too much

in the last year of doing this job, i saw one guy with a linux box and an old, unpatched version of Bind. his box was scanning on port 53 of course.

why do i see so many windows boxes that are hacked/infected? mainly because most people don't know to use anything else!! beyond that they don't manage the boxes like they should (patches, updates...) and on top of that, they don't know when it's been compromised. poor management and lax security practices cause a BIG part of the problem. the correlation most people make is "windows = poor security" when they should be saying "admin-who-doesn't-understand-anything-but-point-a nd-click = poor security"

now i'm not a windows advocate, but for crying out loud, if a windows admin keeps up with patches and updates and keeps logs and does all the right stuff, he'll most likely be ok. on the other hand, if a linux admin installs the box and leaves it hanging out on the internet, he's going to have problems.