install.php, you were right. your bum was hanging squarely out of the window, and you should probably consider beefing up your security.
drupal's default exposure of files like
cron.php present inherent security risks, for both denial-of-service and intrusion. combine this with critical administrative functionality available to the world, protected only by user defined passwords, broadcast over the internet in clear-text, and you've got potential for some real problems.