Those really don't look suspicious to me at all ... of course, I don't have the URL to your site to check myself. Heck, your Moodle is NOT going to be totally private where only certain IP addresses can see/view/use it, is it?
There is a lot of caching going on ... browser, Moodle (now in moodledata/cache moodledata/localcache moodledata/MUC/ plus php-opcache, etc. Does your setup use any memcache/memcached?
[root@sos moodle31data]# find ./localcache/ -name \*.css
./localcache/theme/1465676024/clean/css/all.css
./localcache/theme/1465676024/clean/css/all.2.css
./localcache/theme/1465676024/clean/css/all.0.css
./localcache/theme/1465676024/clean/css/all.1.css
Ahhhh ... new info ... not before disclosed ... 'till I used a local plugin for user tour in combination with another theme' So you removed the local plugin but what of the theme you installed? or did I mis-undertand that?
Anyhoooo .... think we need to get nasty now ...
cd /pathtomoodledata/moodledata/
cd sessions
rm -fR *
cd ../cache
rm -fR *
cd ../localcache
rm -fR *
cd ../
ls -lR cache - anything there? shouldn't be.
ls -lR localcache ... anything there? shouldn't be.
ls -lR sessions ... anything there? Then someone hit the site and might have logged in on ya.
restart web service - that should re-populate any php-opache.
Got anything running to help protect Moodle that might be involved? suPHP or seLinux or whatever?
While apache is restarting, **clear ***all*** browser caches ... IE, FireFox, Chrome ... whatever you have for browsers. None of those share caching so you have do them all - one at a time.
Then, try the site ... with Firefox first so you can do the Web Tools thing with it.
It should appear slower at first, but clicking around the site the cache and localcache diretories will begin to populate.
Don't think you need to do a fresh install of anything ... heck, originally this was an upgrade.
And assume you've double checked all ownerships/permissions again. Yeah, I know. ;)
'spirit of sharing', Ken