Are these spoof/hack attempts?

I'm trying to figure out where these are coming from. Everything seems to be working fine, but am seeing these entries across 2 separate hosts, each running a Traefik container instance. The domains are legit (they resolve internally to the respective host), but the token values - the random PHP values - seem like spoof attempts. In checking my access logs, these IPs for these requests are from foreign countries (I'm in the US).

Some of them even get a request on port 80, get a 301 response, and then there's an attempt to the same URL on 443 (pretty positive LE callbacks won't make challenge requests over 443, right?). So, 99% sure these are just random spoofs, but want to just be sure. Thanks.

Here's a section of logs (from IIS, acting as public reverse proxy) from one of the requests. Again, seems phishy, but just 100% confirming:

2024-09-29 07:47:16 192.168.1.140 GET /.well-known/plugins.php X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=620c30dc-3a2f-4dd3-a109-d2370db62c4b&SERVER-STATUS=301 80 - 52.138.222.83 - - 301 0 0 109
2024-09-29 07:47:16 192.168.1.140 GET /.well-known/plugins.php X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=c4c450f8-e8e1-4ce2-b0dd-429a8577d21e&SERVER-STATUS=404 443 - 52.138.222.83 - - 404 0 0 124

From one of the hosts:

There are malicious actors hitting on websites all day long time. Make sure you have the latest security updates installed.

LetsEncrypt uses port 80 for httpChallenge and port 443 for tlsChallenge.