Check Apache logs under /var/log/httpd/domains/ for repeating URLs in requests from a singe IP, from various IPs. Check POST requests.
Check your server for malware.
Enable Brute Force manager in Directadmin with CSF/LFD.
Now everything seems to be alright.
I scanned ClamAV no infected files.
In the log files var/log/httpd/domains/ i found a lot of :
[allowmethods:error] [pid 29612] [client 126.96.36.199:35746] AH01623: client method denied by server configuration: 'OPTIONS' to /home/admin/domains/...
[Thu Jan 10 10:40:32.144116 2019] [php7:warn] [pid 26892] [client 188.8.131.52:30102] PHP Warning: A non-numeric value encountered in /home/admin/domains/..
How to Enable Brute Force manager in Directadmin with CSF/LFD?