Are these malicious requests in my apache access log?

debian apache-2.2

Any public server will see these attempts (and many, many more targeting other commonly installed software). They're automated, usually done from overseas/Tor/botnets, and there's enough people trying this that blocking IPs is essentially useless.

Yes, they're malicious, but no, they're not really worth getting fussed over.

These usually target ancient versions of things like phpMyAdmin, WordPress, Drupal, and other common tools with known vulnerabilities - keep your third-party code updated and you should be fine.

Related

Is it possible to create an Elastic IP address from the current IPv4 address of my ec2 instance?
Postfix - relaying specific email addresses within a mydestination domain
How to do folder redirection
Expand Windows Server 2008 RAID 5 array
Forward Incoming Traffic with Windows hosts file?
Routing traffic for specific port range
How can I intercept a socket binding call to map to another port?
FTP reverse proxying based on hostname/domain
No log handling enabled - turning on stderr logging Cannot find
Monitor status of VPN clients
How i can restrict certain file extension upload via ssh?
Apache not parsing files? Just sending downloads