Your server should have an access log. To get a clue on what might be going on, do a search of the access log for '/login/password.php'.
Bash shell script like 'slog':
fgrep $1 /var/log/httpd/ssl_access_log
$1 is what you are searching for ...
./slog '/login/change_password.php'
Will show all references in log for that URL ... log normally shows IP address in first column.
Shouldn't assume it's something malicious as it could be a user on your system that was attempting multiple times. So a query of mdl_user table is needed:
select id,username,firstname,lastname,email,country,lastip,timemodified from mdl_user where lastip = 'IPADDRESS';
Don't see that IP in mdl_user table?
Consider blocking it.
'SoS', Ken