Welcome to the world wide web! That IP is scanning your server.
looking for a compromised server that might have had php scripts installed remotely.
***None of the php scripts you see in the logs are part of Moodle.***
The IP address:
Do a whois on the ip and one will see that specific IP is from:
inetnum: 132.232.0.0 - 132.232.255.255
netname: TENCENT-CN
While you could attempt at communicating to the netadmins of TENCENT asking them to investigate, prevent, block, etc. good luck with that!
It's annoying ... and if you don't want to see them, block the range of IP addresses that would come from that network
132.232.0.0/16
If CentOS 7, there is a zone for 'reject' ... any access by an IP address
in the class B block of IP's could be set to autoreject.
firewall-cmd --zone=drop --add-source=132.232.0.0/16
would do it - does do it ... know for a fact as I have already blocked that net.
If CentOS 6, one could use the route command to route all traffic from that
class b block of IP's off into la-la-land.
Now before some gets critical about blocking entire ranges of iP's and networks ... in case you haven't noticed, WWW3 - the cyberwar has already begun. And, my clients are not from CN ... not that am prejudice, etc. ... it's a network thang ... nothing personal.
'spirit of sharing', Ken