Are these malicious requests in my apache access log?
Any public server will see these attempts (and many, many more targeting other commonly installed software). They're automated, usually done from overseas/Tor/botnets, and there's enough people trying this that blocking IPs is essentially useless.
Yes, they're malicious, but no, they're not really worth getting fussed over.
These usually target ancient versions of things like phpMyAdmin, WordPress, Drupal, and other common tools with known vulnerabilities - keep your third-party code updated and you should be fine.