Panic Button: an automated server self-defense system and file integrity management system built around Free Veracity

Here is the script and some documentation

Premise: Some files in your unix filesystem should *never* change. Like, say /bin/ps or /sbin/syslogd

If any of these files have changed, and you didn't explicitly install a new version of them, something very very bad has happened. Chances are, you've been r00ted, and someone has installed a rootkit.

That's very bad news indeed. So, the server should have some way to detect this, and ideally mimize the damage. The last thing you want is to come in on a monday morning to discover that your mailbox has 1200 nasty complaints from sysadmins about your attempts to "hack" them. An attacker will likely use the rooted box as a jump off point for lots of other attacks.

Enter panic_button. This is a script that uses freeveracity to check the integrity of certain directories and *panic* if anything looks awry.

Since it's implemented in Perl, it's very easy to customize the panic sequence. In the current version, once a panic condition has been discovered, panic_button will perform some forensic data gathering for later analysis. This includes sucking up some packets off the network, getting a report of who has logged in lately and so on. Add your own recon commands to @other_recon_commands as required.

Then, once it has its data, it will fire off an email message to an admin, and run the "kill switch" command - in my case, killing off all network interfaces and waiting for someone to come rescue it.