Friend used to run his webservers on Amigas about two decades ago, back in a time where the time of hooking up an unpatched Windows system to a 100MBit connection would have it infected before you could start updating it. "Of course the webserver there is horribly insecure, as there haven't been new releases in years, but it's so obscure that none of the exploits work"
Did that time end? I'm pretty sure it's still a very bad idea to make a system with common serious vulnerabilities even briefly publicly reachable on ipv4.
If you install Windows XP from the release CD and attach it to the public internet, and let it sit, unless your ISP filters out the file sharing ports, I think it will get taken over fairly quickly. But windows vista and later don't make services available by default.
It's also very popular for ISPs to drop traffic on the windows file sharing ports, because it's almost all either malicious or at least unintentional.
Morning standup at a state-sponsored hacking organization…
Bob: A big round of applause to Fred and Jane for setting up that XZ back door! Boy that got us so much intel!
A round of polite clapping.
Bob: What’s your status, Igor?
Igor: Bah, my target is running web server on MS-DOS. I finally managed to hand craft 16 bit 8086 machine code exploit last night (mind you during Hacker News Hug of Death) and gain remote access to A: drive but it turns out secrets are actually hosted on Amiga 2000 on private LAN which I can ping but I don’t know 68k.
Bob: Fortunately we’re a state sponsored hacking organization so we have considerable resources. R.J., do you think you can help Igor?
R.J.: Sure! Igor, do you know if it has an OCS or ECS chipset? …
Nowadays there are armies of bots that will find an insecure internet-connected server within seconds. Security through obscurity isn't much of a thing anymore.
These bots you are talking about are not intelligent, they do not find "insecure" servers to break into. They simply brute-force and exploit known bugs on popular services.
There is no botnet targeting web services running on DOS, because no one is running web services on DOS.
Finding insecure servers, what human hackers would do, requires persistence, time and a working brain.
Bots, instead, throw shit at a wall and see what sticks. Move your SSH server with credentials root:root on port 1234 and notice how many bots get utterly defeated (only for sake of argument, because OpenSSH has a banner which makes it easy to identify wherever it's running)
These tend to try the top _n_ exploits on common ports. In fact, a little obscurity rids oneself from common attacks. I usually move my Wordpress admin access to a different port and URL and that really does stop scripts from trying exploits all day long. (Of course, I make sure everything else is set for security, too.)
Yeah. I eliminated a persistent bot attack on a webapp in minutes by simply adding a very easy question on user signup (like "what's 1+1?")
Security through obscurity is an overused concept: it doesn't work against determined humans, but on the greater internet, when your adversary are bots, it is extremely effective.
It even works on determined humans. It's defeatable but dissuades many humans and slows down the rest. It is a useful layer in security. It just can't be the only layer.