security issue

i just noticed that an empty record has appeared at the top of my site's river and when i viewed the elgg log i see activity from an IP in a 'notorious' hacker location is logged as making changes which only admins should be able to do.. though many of the logged events don't make much sense just from observing the log records.. e.g. the user has 'created' widgets that appear on the homepage (added by me originally via homepage_cms plugin) - so the widgets already existed since i created them yet this user is logged as also now creating them..
the records also show a user profile is created against this ip address and no user name or guid is logged.

anyone seen this pattern before? any idea how to approach finding out the cause? i can block the IP but obviously that isn't much of a solution. thanks