First you need to perform a presence attack, to do this, look at the number of Apache processes.
Debian:
If processes more than 35, probably you are attack.
Now, we need to find the website on which the attack.
Go to the directory with the access logs of the sites:
Pay attention to files with a larger size:
This command will show the number of request to a website with a unique IP.
For a more detailed investigation of the intruder, clear the log file:
And re-analyse the log file for anomalies by performing the command:
If you are using iptables, block the offenders: