skip to primary navigationskip to content

Reporting security incidents if you are a member of the University

Please note that if you have a virus or other malware problem, or think that you have such a problem, you should contact the .

Break-ins, attempted break-ins, probes for vulnerabilities and other security incidents in the University of Cambridge should be reported to CamCERT as soon as they are discovered. The preferred method of contact is by email to Mail to this address is monitored frequently during normal working hours and intermittently at other times. You should also contact CamCERT if you think that your password has been obtained by someone else or you suspect that someone has been misusing your email.

CamCERT may pass details of a security incident to JANET-CSIRT for investigation, follow up, to assist in another investigation or simply for the records.

Reporting incidents where an intruder is suspected of having broken in to the system

  • The system should be disconnected from the network as soon as possible, preferably immediately the problem is discovered. This applies across the board, including to servers - remember that the system may well be being used to attack other machines. It should not be switched off or restarted because valuable evidence can be lost.
    • if the machine is your responsibility you should also tell your Institutional Computer Officer as other systems in the institution may also be vulnerable to the attack.
    • if it is not your machine contact the system manager, either you or the system manager should also tell the Institutional Computer Officer.
  • Send details to Remember to leave details of
    • the machine name and/or IP address (number)
    • any information you have about the incident
    • where you can be reached - remembering that the machine has just been disconnected.
  • If the machine is yours and you do not feel that you are competent to investigate the machine yourself, ask your Institutional Computer Officer or CamCERT for advice

Reporting probes for security vulnerabilities

CamCERT welcomes reports of probes from system managers of machines on the CUDN; probes, attempted and actual break-ins should be reported to, with an extract from the log including the

  • the name and/or IP address (number) of the probed machine
  • the name and IP address of the attacking machine
  • the port probed
  • the time of the probe
  • an indication whether the machine is NTP synchronised.