Firstly, I assume you are running X7.2.x (with Apache version 2.4.2)?
I would think that this is an external attempt to scan for certain services on the VCS Apache server.
VCS would report that error if someone actually are trying to access a location/service that is not supposed to be served for that user.
In X7.2, we have a new firewall feature which will prevent these hacking attempt. You can with this configure firewall rules to control access to the VCS at the IP level (https://vcsip/firewallrulesconfig).
In X8, there will (probably) be even more functionality (automated detection) to restict unwanted users, such as:
External API authorization protection
SIP authorization failures
SIP registration failures
SSH authorization protection
SSH intrusion protection
Telnet authorization protection
Web authorization protection
Web intrusion protection
NB:These might change in the final release!
Hope this helps,