If the attack was made using HTTP connection, you may find the access_logs the requests. You will have to make a shell script to find all the access_log files and search for the attacking IPs (that you seem to already have the list).
In most cases, the domain which is being attacked will have a large access_log file and this will help you to locate the domains. Then update the domains stats using /scripts/runweblogs username . This will help you to have visual analysis of the domain traffic.
Business Analyst SupportSages.com- Bytes of Wisdom @ Work - Where guarantees and promises are made to keep! 24/7 Support with 15 mins response time & no charge guarantees
This will help you to determine the path of the file/domain being attacked.
█ r00t-Services.net | DDoS Protected VMs & Remote DDoS Protection, Security, Optimization.
█ In business since 2011 | Contact us: support[at]r00t-services.net
█ Affordable & PowerfulDDoS Protection Service in Europe and the USA! (⌐■_■)--︻╦╤─ - - - DDoS
Since you are on a cPanel server, login to WHM as root user and navigate to Main >> Server Status >> Apache Status. Also see the output of the netstat to see if it is targeting a domain or just a SYN flood.