Possible attack on Redhat Enterprise 4.0 Webserver

I'm not sure if my server is being subjected to an external attack, or
if I just have a very high traffic load. I'm hoping you guys can give
me some advice on finding out for sure.

I'm running Enterprise 4.0, and primarily use Webhost Manager / cPanel
for maintenance.

The primary domain on this server runs a message board, which is the
big draw. Up until around July 2007, the site had around 7,000 unique
visitors a day, and around 50,000 pageviews. Starting in July, though,
the pageviews started to skyrocket up to almost 1,000,000 pageviews a
day, even though the number of unique visitors didn't significantly
change. In less than a month, the average daily pageviews went from
70,000 to 900,000, with no apparent change on my end.

Since July, this number has spiked sporadically, and then dropped
again. These stats are coming from Urchin.

If you were to look at the Urchin graph, you would see what I mean.
From January until July 1, it's pretty much a flat line, but then from
July 1 until now, you see 2 large mountains; a steady increase, then a
steady decrease, then a steady increase, then a steady decrease:

______/\/\


Recently, the number of unique visitors in a single day has peaked at
9500. That's the most we've ever had in a day, but on that same day
the number of pageviews was only 75,000. The day that had almost
1,000,000 pageviews only had 7500 unique visitors. On this day, my
server load broke 150!

This seems very unlikely to me. I can't imagine that each unique
visitor would go from viewing an average of 100+ pages to an average
of 8, when nothing exceptional happened at either time causing the
major swing.

I suspect that someone is purposefully attacking the server to cause
the site to run slow. I do have a few local competitors that are very
shady, and this sounds exactly like something they would do.

For security, I have disabled SSH altogether (using the SSH Password
Auth feature of WHM), as well as disabling traceroute (using the
Traceroute Tweak feature of WHM). The day that I disabled traceroute
was when my pageviews dropped to the lowest point in 6 months at
75,000 and my unique visitors increased to 9500, and my maximum server
load was around 3. This lasted for several days, but then on Monday of
this week it suddenly skyrocketed again. Urchin has stopped working
for no apparent reason, but my server load has broken 120 several
times, after staying below 3 for almost a week.

I should also point out that LogWatch shows there to be thousands of
brute-force attacks via SSH (which is why I keep it disabled). I only
started using LogWatch in July when I first started having problems,
though, so I'm not sure if this changed at that point. The number has
been fairly consistent every day since I began watching, though.

I've reported this to the company that manages my server and they said
that the traffic looked legitimate. But honestly, I don't know that I
believe that. It's just too unbelievable to see the number of pages
per session change so drastically, and to see such a major change in
the server once I disabled traceroute.

Can you guys offer any other advice on how I can find out if this is
legitimate traffic or an attack?


Sorry for the long explanation, but I wanted to be as detailed as
possible. And any advice you guys can give will be greatly
appreciated!

Jason