Caravan and Motorhome Club's website down!

[Jim]

Two threads on this subject have been merged into this one

 

[SpeedyDux]

I have not had much success using their new booking system even when it was allegedly up and working. Had to phone their call centre after having wasted a lot of my time trying to book and pay the deposit with their appalling IT. It used to be so quick and easy. Progress - NOT.

Regardless of the reasons for this IT meltdown I have no confidence in their new online system anyway. Nor the Club management attitude.

 

[cyberyacht]

I’m not sure how many CAMC ‘Club Together’ forum members post here any more, but those that do will know it’s suffered with IT problems for (literally) years. As regular as clockwork members were complaining and reporting problems in the vain hope that somebody in CAMC might listen and fix it. Usually there was no response let alone solution. The current problems will all be part of the same arrogant and dismissive approach to members.

I was a regular and prolific poster on "Club Together". It has always had its issues although the Mk 1 version did at least work notwithstanding the absence of useful features that any self-respecting forum would have. Since then, each iteration has got progressively worse and slower and I have visited infrequently over the past year or so. Notwithstanding the token 'name change' some years back, there has been no significant adaptation to motorhomers needs. Antipathy from "Caravan Club till I die" types who adopted the 'if you don't like it sod off' attitude about either the way the club runs or its IT shortcomings does little to encourage continued participation. Like many, it's only the CL network that keeps me there.

 

[sgl5gjr]

Still down at midday on Wednesday..... Must be a big issue ...

 

[Zoshee]

I suspect catastrophic failure to a database or server, not necessarily hacked. They might not have a complete backup and they are frantically trying to rebuild the servers/codebase. It's been down for days now so it must be serious.

I like the message about the heroics of the external suppliers. I bet that was put there by the external IT team who are getting loads of flak.

^{_{Subscribers  do not see these advertisements}}

 

[AndyPK]

Still down at midday on Wednesday..... Must be a big issue ...

Perhaps some of the ‘management’ could be better used selling ‘The Big Issue’…….!!

 

[Brize]

If there has been a data hack, then that is the last they will see of me.
The club have forgotten the first rule of customer service - communicate, and keep communicating. The less you communicate, the more people will think you are hiding something.

Regards,

 

[Zoshee]

Any large public facing system has people trying to hack all the time so if they had a vulnerability it would have happened before now I suspect. More likely a servers gone bang and they've got poor backup and disaster recovery processes.

I've actually been to the head office 10 years ago for a business meeting. Beige was very in vogue I remember. It was like a Dr Who set from 1970.

 

[Otter Spotter]

Why don't you all just cancel your direct debit or whatever you use to pay them, and get out and find other places with less hassle and money.
Just ask yourselves what you need them for.

Did that last year

 

[Jim]

Any large public facing system has people trying to hack all the time so if they had a vulnerability

We have attempts at hacking our servers every hour of every day, it seems thare is always some script banging away trying to get past Gromett's server security systems.

^{_{Subscribers  do not see these advertisements}}

 

[Spriddler]

I'm no fan of their slow and clunky website and it's annoying, but I'll cut them a bit of slack. Even major corporations and banks' data has been hacked.

 

[Wee Bold Davy]

We have attempts at hacking our servers every hour of every day, it seems thare is always some script banging away trying to get past Gromett's server security systems.

It's probably the BBC trying to get some cheap content from old-mo joke book

 

[chesterfield hooligan]

I like the phrase " thank you for the members support " LOL

 

[hja]

Why don't you all just cancel your direct debit or whatever you use to pay them, and get out and find other places with less hassle and money.
Just ask yourselves what you need them for.

We camp in this country. We don’t like big sites. We do like and use CLs. Hence our continued membership of CAMC

 

[starquake]

We have attempts at hacking our servers every hour of every day, it seems thare is always some script banging away trying to get past Gromett's server security systems.

You do, but this is a public forum software, and tbf, this is one of (few) cases where I'd say it's likely not vulnerable to SQLi in near all cases given how widely this forum software is used on other forums.

However, in my experience of actually pen-testing commercial software, we still were finding SQLi present in areas of "commercial" software even in last few years. It's just more difficult to find. A certain middlewear provider providing services to multiple insurers was discovered by my "old" paymasters back in last 10 years and certainally impacted more than them, but as it was found by internal testers and not hackers, it was not disclosable to customers as it was found "internally" effectively, and hadn't been found by anyone else.

Rarely you get an investigation where someone has done a rather silly SQL statement as part of testing them and it's wiped the database.

I don't actually do this testing anymore as part of what my company does, as it's a case where actual commercial providers don't do a better job but it's a race to bottom there in terms of pricing, so competing with their pricing made the test quality drop....
but I think it's a bit like post-office saying everything is fine. Everything has vulnerabilities, it's just the skillset of attackers as to if they can bypass defences.

^{_{Subscribers  do not see these advertisements}}

 

[starquake]

Did that last year

Going to be doing it this year myself once we've availabled clubfest. We won't be renewing, but it's a shame we can't use a site this weekend we wanted to try.

 

[hja]

When they introduced the new booking system and new web site there were massive problems. It clearly had not been tested properly. I am no IT expert but even I could see that if you hadn’t been allowing people to book ahead, pending the new system, you were building up a huge pressure. So instead of opening up booking a moth at a time, spread over a few weeks, they opened the whole lot up and were surprised when the site crashed! In fact even before this latest problem there were still things you could see or do on the old site that you couldn’t on the new all dancing, all singing site. Their comms is appalling. They pay more attention to Trust Pilot than they do to their own CT forum which they have not improved in years of regular “ server errors” and huge delays for people making their first post.

 

[Gromett]

My part of the IT world for consulting is IT security -> and I can say having ran a few Incident Responses on a major hack investigation, this also could look exactly like the symptoms CAMC are suffering.

I do a number of post hack jobs each year. My point was NOT that this wasn't a breach. It was that the length of time is not always indicative of a breach.

Priority one is to find out "How they got in", then "What they got access to", "fix the problem and any similar problems in the codebase", recover database from tape (happens in parallel to previous step) and finally recover access to customers.
If it was a SQL injection type attack (still as common as in 2001) stopping access to the website allows the entry point to be discovered. Reason I mention this @Gromett is becuase a SQL injection type attack could also wipe all data -> sometimes attackers use a join in SQL that can delete data in extreme circumstances.

There is no excuse these days for SQL injection attacks. Most software these days is built on frameworks (like Laravel) and these have SQL and XSS prevention built in. And it is rare for a serious bit of software to be affected by one. The most common breach method these days is social engineering, Phishing or poor password hygiene. The software used by CAMC is allegedly a piece of Hotel booking software that has been lightly modified. I would expect this was built using one of these frameworks. If this is true and CAMC was exploited, then a lot of hotels would have gone down at the same time and perhaps something would have hit the IT news by now?

I did a bit of investigating of their network just out of curiosity. Whilst it is not conclusive it appears that they have a single front end server with no load balancing. So it is entirely possible they have all their site on a single server and it is possible their database server is on the same server. What surprised me most was this server appears to be hosted in Germany although using UK nameservers. I am NOT ruling out a hack/exploit. I am saying even 3 weekdays in it is not the only likely explanation.

If tt is like it seems and is only hosted on a single server and has had a database crash. Rebuilding said database may not be possible or may take a long time.

So what I am saying is this. Jumping to an exploit/hack at this point is not the only possible cause. I am not saying it hasn't happened. I am saying it is too early to jump to that conclusion.
There is a saying. Why assign malicious intent when incompetence explains it just as well. The single IP/lack of resilience/incompetence, That combined with the 72 hour rule for reporting to the ICO may indicate it isn't a hack.
On the other hand not reporting it may be further incompetence.

Just too early to say one way or another by guesswork. I never jump to conclusions and blame a hack though having seen a number of clients who have been down for 2 weeks due to poor infrastructure up front.

 

[Gromett]

We have attempts at hacking our servers every hour of every day, it seems thare is always some script banging away trying to get past Gromett's server security systems.

54,432 attacks on one service alone in the last hour. That is not including all the front end attacks and other services being attacked.

My view is we do everything possible to avoid being attacked and operate multiple layers of protection. BUT we assume we are not invulnerable and have multiple layers of backups in place.
If this site went down to a hack say ransomware, it could take days to get it fully back up and running. BUT it would get back up fully running even if we had to rebuild from scratch on a new server.

 

[busbuddy]

Somebody probably pulled the server plug out to charge their ev.........

^{_{Subscribers  do not see these advertisements}}

 

[starquake]

I do a number of post hack jobs each year. My point was NOT that this wasn't a breach. It was that the length of time is not always indicative of a breach.

No agreed on all points - although people do rely too much on Frameworks, I've seen cases where the web framework is totally fine, but it's calling a back end API call that itself has SQLi (but doesn't if called via Framework in browser) - yet allows a direct call which can be leveraged. It's just suspicious from soem other observations I had personally with their systems.
The fact you didn't see a load balancer in front today also indicates something odd to me, as in I'd expect many protections to be on a WAF these days on modern systems given putting certain load balancer/WAF/CDN in front adds a lot of protection for near zero money, and it's included in many "clouds" costs.

We'll see which way it goes in time, and I also agree it's far more likely a single database issue, but I equally am quite shocked at how long recovery is taking. But then my clients talk of full recovery times in 30 min to 4 hour regions for databases in the Petabyte, so I work on an entirely different scale to this.

 

[seasideBill]

The great communicators are saying no member data compromised

 

[FrankNicklin]

They have a ton of other domains showing as residing on the same server IP. Most point back to the same site which is different from the site thats down although there is an embedded page showing the site issue. The page showing it is down is dated 2017 but the other domains show a page dated 2024.

 

[seasideBill]

Somebody probably pulled the server plug out to charge their ev.........

Apparently they’ve tried turning it off & on again and it didn’t work!

 

[BillandHelen]

Going to be doing it this year myself once we've availabled clubfest. We won't be renewing, but it's a shame we can't use a site this weekend we wanted to try.

Don’t know why you can’t use a site this weekend, just phone the site direct, they are all taking bookings. I booked Melrose yesterday, now sitting on site having a cup of coffee!

^{_{Subscribers  do not see these advertisements}}

 

[starquake]

Don’t know why you can’t use a site this weekend, just phone the site direct, they are all taking bookings. I booked Melrose yesterday, now sitting on site having a cup of coffee!

Ah they were not on Monday when I tried. Will give it a go on Thursday if the site isnt' back.

 

[Gellyneck]

...The software used by CAMC is allegedly a piece of Hotel booking software that has been lightly modified......

A previous warden told me it was ferry booking software but neither here nor there!

 

[denisejoe]

Just roll up at a site and say you booked a day before the shutdown who can prove it

 

[Sideshow Bob]

A previous warden told me it was ferry booking software but neither here nor there!

I heard that as well

 

[hja]

I heard that as well

I think it is the case that they used their overseas booking service for the uk booking service. But there was definitely some hotel or ferry booking system in there. The system initially asked for info/data that would not be required in a uk site reservation. Required lots of info about ages, dates of birth, names etc. Also some of the terminology was not camp site but hotel / ferry terminology.

^{_{Subscribers  do not see these advertisements}}