Hi everyone, it’s my first post on here; sorry if I breach any rules of etiquette.
Before writing this, I did a little searching of the forum beforehand on the topic of backdoors and backdoor prevention, and while there was a lot of useful information, I couldn’t help wondering about how much thought I should put into this.
I’ve been working on a fairly large game project for about half a year now, and at the start of it, I’d messed around with a fair amount of plugins — I wasn’t really aware of the potential problems that malicious plugins could cause, so I never took precautions like looking into their source code or into the backgrounds of the plugin creators. A few months later, the project has ballooned in size, and I realized that it could be quite difficult/tedious to try to find any backdoors which may exist.
Is this something I should really be worrying much about? I’ve tried a few things like CTRL+SHIFT+F’ing to search for things like require’s and getfenv’s, and looking around to see suspicious scripts - naturally I found nothing.
Should I really only concern myself with this once I actually see an exploiter take advantage of a backdoor? Once that happens, would I be forced to essentially create a brand new game, and copy over every asset and script by hand, checking that nothing includes anything malicious?
I’d like for someone to tell me it’s not really something I should worry that much about.
Okay, first of all, backdoors are scary, and they can do many malicious things. One example is giving the exploiters an admin panel. I’ve actually taken apart a backdoor to find one of these admin panels before. They include a server-side executor.
The exploiters could potentially add some inappropriate objects into the game using this executor and get your game banned.
So, why is it something you shouldn’t worry about?
Backdoor plugins are banned within a matter of weeks.
Plugins need your permission for ‘Script Injection’.
These plugins are often disguised as “antivirus” plugins. If you don’t have any of those, you are fine.
Not necessarily. This is because there are a limited number of containers in which server scripts run. The smarter backdoors place a script in a random part in workspace, but they wait until your map is big enough first so it isn’t detected. A simple workspace search can find these (search “className: script”).
You’re wrong here. If you have a backdoor, you should never worry about it when it happens. Backdoors can be game-breaking, and as discussed earlier, can also get you or your game banned.
Thank you so much for the information and the reassurance.
So if you simply never give plugins that permission, there’s no possibility of a backdoor? I guess I was under the impression that plugins can kind of just automatically do whatever they want once you’ve downloaded them/used them. I have to say I know very little about plugins so I kind of just went straight to assuming the worst of them once I heard of this. I think I might try creating a plugin of my own just to get a clearer sense of how these things work.
I would guess that most of it comes from people looking through the source code of the plugins?
I kind of feel silly for not realizing this earlier. So, in looking for these malicious server scripts, I really only have to search within the Workspace and within ServerScriptService? That’d be a massive relief.
I do have one thought on my mind; is it just as possible for these sorts of malicious scripts to be injected into the client-side instead of the server-side, in such a way that all clients are affected by it? Like if such scripts were put into StarterGui, StarterPlayerScripts, etc. Could this also be a concern?
Thinking about it a little more, I suppose if a malicious script like that were put onto the clientside somewhere, I would think it wouldn’t be able to act as a proper backdoor, since after all it’s not on the server-side.
Sorry, I was kind of confused by this; this sounds like I should worry about it when it happens?
That’s true, but also remember that exists plugins that need permission to that.
If you find any, check the user who made it, if you “know” him (in a good way) you can accept it, but be sure you’re safe!
By the way, in your posts, put some spaces (and paragraphs) so others “want” to read this.
When I saw the post, I almost wanted to return even without read anything because it’s all “together”
Hey, thanks for the feedback. I’ve edited the original post to include some more line breaks — you’re definitely right that it makes it easier to read.
Well, the only way to stop worrying is to see if there is any in your game. What I would do is use Ctrl + Shift + F to search all scripts. You’d search things like getfenv() and require. These are usually backdoors, getfenv is more likely to be though.