How does the attacker discover our server?
The short answer is that many people are scanning everything most of the time.
Doing so was, some years back, considered impractical, but the combination of better networks, better tools better throughput, and more of the space being in use means that is no longer the case.
For example, Zmap claims on its front page:
ZMap is capable of performing a complete scan of the IPv4 address space in under 5 minutes, approaching the theoretical limit of ten gigabit Ethernet.
Botnets tend to distribute the same sort of scan across significant numbers of nodes, to achieve a similar result: any given machine on the internet is likely to be scanned at least once a day by a determined attacker/scanner.
Once a webserver is identified on a given IP, there are all kinds of tools to test well-known paths, and tools that will try and guess at your sitemap.
In short, welcome to the internet - where obscurity is not security.
Do consider this in the context of setting up your app/services/widget - in all likelihood, things you would probably prefer to be 'secret' will not be, and defending your assets and resources is necessary.
About every IP has been under continuous probing for years. You don't even need to have a domain name, a normal consumer DHCP IP access is enough. Running a dummy http service on your computer scores hits from automated /phpmyadmin and such probes. Should your service give http code 200 as an answer, some abuse attempts may follow.
The probers and attackers use botnets and therefore the IP used can be anything from a hacker's home address to a kitchen appliance's IP ... and more. Blocking IPs doesn't work anymore. If you want to have something in the Internet before release, you might want to whitelist the addresses that need to access the site.
Remember: never allow direct SSH access to your servers from the Internet. The SSH ports are under similar bombardment all the time. If you have an SSH server and username 'dave' with password 'letmein' open to internet, you'll probably get hacked in no time.
This seems like it is just random scanners on the internet. They just roam around trying different IP adresses and looking for certain folders and files that might indicate vulnerabilities.