Ideas/Guesses is all that anyone would have ... that's it. So here goes my guess ...
Looks like all the attempts/logins as guest user come from a single IP address:
and the Time column shows the same time: 4:12 AM - would imagine somewhere down on the next page of the log one should see a different time ... 4:13 AM ... etc.
The origin is web .. which means Moodle/your server sees access as coming from a browser which could be a bot or command line something ... like wget or curl (apache server logs would/should show that).
You could cross reference what you see in Moodle with the apache (assuming you are running apache you've not said) access logs. And while your are at that, might see if there are any references in the apache error_log for that IP address. What that IP address might be attempting to do will show there in the error_log.
IF you were running Apache and the access logs of your setup are in /var/log/httpd/access_log for example,
one could use the following command in /var/log/httpd/
fgrep 220.127.116.11 access_log*
which will search all acccess_log files ... the active one plus all the archived access logs ... for
any entry from that IP address. It should also show information about the browser being used.
That IP assigned to (or appears to be assigned to) the following network:
dig -x 18.104.22.168
A traceroute run at that IP shows the trail ending at:
after which there are no responses in tracing the route.
That looks to be a user on a home cable system.
Anyone's guess as to what / reason why ...
Could be a feeble attempt at a denial of service.
It is annoying and sure makes your log almost useless for finding info on your users in the Moodle system, but ....
Do you have anything setup for guest access? Turn off guest access. Force all to login.
Is your Moodle up-to-date? (latest secure version of whatever series?)
They might be trying to exploit a hole (error log would show that). Moodle code is reallly pretty secure. But then again who really knows?
You could attempt to lodge a formal complaint to the network admins of that system but I've found that to be somewhat futile in proving malicious intent unless one is really good at forensics and something is happening with Moodle that shouldn't.
Got a firewall on server? iptables/chains and even linux kernel routing could make your server deny any access from the single IP address. I've had to do just that with some peskey IP addresses - of course, if it is a hacker and they are good at what they are doing, they just spoof another IP address or find another box to bot and use it.
Soooooo ... ?????
'spirit of sharing', Ken