I put up a brand new site - no content yet, but it's getting probed by spammers/hackers already. Here's a list of the URLs they tested one day - note the variety of software/exploits they were checking for. They tested for a variety of forum scripts and folders, ad serving scripts, email software, and more. Moral: change defaults to your own non-obvious values, and be sure your scripts are patched to the latest security revision:

/horde3//README
/horde//README
//README
/horde-3.0.9//README
/horde2//README
/Horde//README
/Forums/
/bb/
/board/
/forum/
/forums/
/Forum/
/portal/forums/
/cal/tools/send_reminders.php
/portal/forum/
/phpadsnew/adxmlrpc.php
/calendar/tools/send_reminders.php
/members/phpBB2/
/boards/
/thisdoesnotexistahaha.php
/discussion/
/bbs/
/members/phpbb/
/webcalendar/tools/send_reminders.php
/html/forums/
/members/phpBB/
/ugboard/
/newboard/
/phpAdsNew/adxmlrpc.php
/phpBB/
/bulletinboard/
/adxmlrpc.php
/a1b2c3d4e5f6g7h8i9/nonexistentfile.php
/WebCalendar/tools/send_reminders.php
/phpbb/
/foros/
/msgboard/
/portal/
/phpBB2/
/bulletinboards/
/newboards/
/nar/
/Calendar/tools/send_reminders.php
/ugboards/
/adserver/adxmlrpc.php
/html/forum/