https://www.cvedetails.com/cve/CVE-2017-9841/
I'm not sure if Nextcloud uses phpunit, but its likely just some script somewhere just running through any IP that has 80/443 open and testing for known vulnerable scripts. If it redirects to/loads a login page or nextcloud, you are likely fine if they come back and try to post things to it.
Having your server connected to the internet will bring a lot of unwanted traffic.
For example:
$ grep 183.134.74.13 access.log.1 | wc -l
935
Sample of the logs:
183.134.74.13 - - [13/Feb/2020:02:24:34 +0000] "POST /zmp.php HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36"
183.134.74.13 - - [13/Feb/2020:02:24:35 +0000] "POST /803.php HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36"
183.134.74.13 - - [13/Feb/2020:02:24:35 +0000] "POST /zzz.php HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36"
183.134.74.13 - - [13/Feb/2020:02:24:36 +0000] "POST /ze.php HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36"
183.134.74.13 - - [13/Feb/2020:02:24:37 +0000] "POST /nnb.php HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36"
And that went on for 10 minutes.
That said, if you are worried about one random page hit from a random IP, it might be worth considering if you really need your server connected to the internet and if it wouldn't be better off using a VPN to access services.