Here’s a really quick way to find out if your “ps” binary has been compromised :
# ls -d /proc/* | grep [0-9] | wc -l ; ps aux | wc -l
The commands above are going to show you two numbers : the first one is the number of running processes according to your kernel and the second one is the number of running processes according to you “ps” binary.
If the second one differs from the previous one, something is wrong and this could mean your “ps” binary was compromised. If this happens to you, maybe your system is not a trusted system anymore.