Demo server vandalism?

Twice in the last week I have looked at our demo server, and found zero apps on the home screen.

When I manually typed the URL for the manage apps page I saw that every app was disabled. (Doing this is tedious, because you have to click on each one individually, so you need to do 20+ clicks, each with a page reload.)

Looking at the tomcat logs, I see a lot of POSTs to this URL at 1:20pm EDT today:

127.0.0.1 - - [10/May/2016:13:20:01 -0400] "POST /openmrs/referenceapplication/manageApps.page HTTP/1.1" 302 -
127.0.0.1 - - [10/May/2016:13:20:02 -0400] "POST /openmrs/referenceapplication/manageApps.page HTTP/1.1" 302 -
(and a lot more)

Looking at every day this month, it seems suspicious that there are multiple days with exactly 22 POSTs to this page. (At least two of the days with more are the days when I manually turned apps back on.)

# grep -c "POST /openmrs/referenceapplication/manageApps.page" localhost_access_log.2016-05-*
localhost_access_log.2016-05-01.txt:2
localhost_access_log.2016-05-02.txt:20
localhost_access_log.2016-05-03.txt:41
localhost_access_log.2016-05-04.txt:22
localhost_access_log.2016-05-05.txt:57
localhost_access_log.2016-05-06.txt:22
localhost_access_log.2016-05-07.txt:22
localhost_access_log.2016-05-08.txt:0
localhost_access_log.2016-05-09.txt:6
localhost_access_log.2016-05-10.txt:55

Can people keep an eye out and see if this possible vandalism persists? If it does, we may need to disable the Manage Apps functionality to keep our demo usable, or else start reloading the database more often.

Note: I ran into this again just now: