If the attack was made using HTTP connection, you may find the access_logs the requests. You will have to make a shell script to find all the access_log files and search for the attacking IPs (that you seem to already have the list).
In most cases, the domain which is being attacked will have a large access_log file and this will help you to locate the domains. Then update the domains stats using /scripts/runweblogs username . This will help you to have visual analysis of the domain traffic.
Business Analyst SupportSages.com- Bytes of Wisdom @ Work - Where guarantees and promises are made to keep! 24/7 Support with 15 mins response time & no charge guarantees
Since you are on a cPanel server, login to WHM as root user and navigate to Main >> Server Status >> Apache Status. Also see the output of the netstat to see if it is targeting a domain or just a SYN flood.