First you need to perform a presence attack, to do this, look at the number of Apache processes.
If processes more than 35, probably you are attack.
Now, we need to find the website on which the attack.
Go to the directory with the access logs of the sites:
Pay attention to files with a larger size:
This command will show the number of request to a website with a unique IP.
For a more detailed investigation of the intruder, clear the log file:
And re-analyse the log file for anomalies by performing the command:
If you are using iptables, block the offenders: