For an Apache compromise, note the domain the attack was coming from and review the logs. This can be tedious if you don’t quite know what you’re looking for — a lot of the attacks have gotten quite a bit smarter, using tor and proxies to randomize IPs, and using scripts that redeploy or [...]

ps auxwww |grep apache
Examine the output for the user apache running anything but the correct apache binary (/usr/sbin/httpd or /usr/local/bin/apachectl -k startssl). Also look for children processes running with extremely high CPU time (if most children are running with 1:20 or so, and one is running at 60:42, note hte pid of the latter).
Closely [...]

When logging into a server, the first few seconds at the command prompt can offer general health information. Did it take a long time to get a command prompt after authenticating? Are there delays when typing in characters at the prompt? Are you getting disconnected often?
If you have even the inkling of [...]