Some rootkits and malicious versions of ps will hide processes from stdout but leave /proc alone. You can compare the number of processes ps reports to the number of processes being tracked inside /proc to help determine if your ps is lying to you. Note that a race condition exists here, it is possible on a server with lots of new processes being spawned naturally that the number reported will change between the execution of the two commands so it may be necessary to run this script multiple times to get a clear picture. Since speed is essential it is important to run them together in a script rather than individually.

#!/bin/bash ls /proc | grep "^[0-9]" | wc -l ps aux | wc -l