A good guide to what to do when your server is attacked.
netstat -nap | grep SYN | wc -l
netstat -nap | less
If there are many httpd processes showing up after step 1, you might be under attack. If you get high numbers for the second one, you are almost definitely under attack. Use the third one to see the IP addresses, and then ban them from the server:
iptables -A INPUT -s ip.address -j DROP
Also try the following for fixing stuff:
And delete anything that's not supposed to be there.
lsof | grep .,