Burger queen Serverside/backdoor Issue (major help needed.)

Evelucinate · April 4, 2020, 9:55pm

Hey there developers!
I’m in the need of some serious help-

This module keeps going into Burger Queen, and it keeps being re-added to the studio.

https://www.roblox.com/library/3664252382/yes

Is there any way where we can find the source for this? How do we get rid of this backdoor, and what can we do while we wait? Thank you

(My more advanced developer friend, is requesting that this module gets deleted, and so do I.)

Senbanistan · April 4, 2020, 10:00pm

You or one of your developers probably have a plugin that’s been compromised in some way, or was made with malicious intent from the start. That’s disregarding the possibility that one of your developers may be doing this on purpose. You should have all of your developers check their plugins to make sure that they’re all reputable and trustworthy.

Evelucinate · April 4, 2020, 10:03pm

Thanks for taking your time.
We disabled our developers access, to be able to access these studios and we did a check on the only 3 people (Felsun, EnnaDelRey and myself) and found out that none of us have any untrusted malicious plugins installed. Our developers are also trusted, but currently they don’t have access to anything (fyi. the backdoor is still continously coming back)

sjr04 · April 4, 2020, 10:03pm

There is also a chance a free model with a bad script was inserted.

Evelucinate · April 4, 2020, 10:04pm

We have searched across using the Find Result tool for scripts. I’ve checked through that with all of the scripts we have, and none are found to have those kinds of inserts. We don’t really use free models.

sjr04 · April 4, 2020, 10:06pm

Have you and your developers inspected your plugins code? If you don’t know how to do that just execute this in the command bar.

local id = 123456789 -- the plugin ID you want to inspect
for _, object in ipairs(game:GetObjects("rbxassetid://" .. id)) do
    object.Parent = workspace
end

Senbanistan · April 4, 2020, 10:06pm

If the backdoor is returning despite being removed it has one of two things:

One of your developers is maliciously including this backdoor in your game.
One of your developers is compromised in some way such that the backdoor gets added without their knowledge. This could be through a plugin or even if their PC is compromised in some way, although the former is much more likely.

Operatik · April 4, 2020, 10:09pm

Did you revoke the access of all your developers to see if the script is still added to it? If it’s still there, you’ll have to check the following:

Server’s scripts, check for malicious contents if possible
Your plugins, try checking deeper into it, it is likely to be a plugin with malicious code

Oh yeah, try using the explorer’s search filter.

Evelucinate · April 4, 2020, 10:09pm

Great idea
What we did was we looked at the plugins and checked out if they were trusted or not. Stuff like F3X you know. We will try that, but this will remain open, we really want this fixed asap.

Evelucinate · April 4, 2020, 10:11pm

All of our developers do not have any permissions anymore when our first “attack” if you can call it that, happended. We will check deeper into our plugin and we have also started to delete some of our models because of this. I’m the co-owner, so I can’t really do anything about the revoking access of the other 2 developers which is the other co-owner and the owner. But i’ll try to suggest that as well

Evelucinate · April 4, 2020, 10:24pm

Hey again!
We are starting to get this together O_o

We found a part of an ip in one of our scripts (the owner did, EnnaDelRey) and
it went from loading 1273132 of the same modules down to around 2 everytime.
Do you know why there is an ip?

I was told not to give the IP out, because the other developer (other co-owner, more experienced than me) is suspecting that it might be part of one of our IP’s-

Operatik · April 4, 2020, 10:35pm

IP as in IP address or? That’s something spooky, could it be possible that someone’s machine is compromised?

sjr04 · April 4, 2020, 10:47pm

Were you able to identify which plugin it was. If so report it privately to @Exploit_Reports. Getting someone’s IP shouldn’t be possible.

Evelucinate · April 4, 2020, 10:49pm

After looking through a bunch of our scripts, we found the solution
(out from what the head dev says).

The module no longer pops up, we’ve attempted to rejoin several times and it won’t come back. This is so nice

Thank you guys for your help You were so nice.

This is my first thread, so i’m not used to doing these kinds of things.
I’m amazed by how well the devforum is set up… Thank you

NeoInversion · April 4, 2020, 11:05pm

I read something a while back about it being possible to get someones IP through something on Studio. I don’t remember the details, so I can’t really explain it, but it was there. I believe its patched now though.

Txppin · April 5, 2020, 3:44am

I would like to clarify that it isn’t possible to grab IP Addresses anymore but it is still possible to however grab the IP Addresses of people that require your module inside of studio.

Razorter · April 5, 2020, 4:05am

She didn’t say in what context they found the IP but it could be possible that it was used with HttpService to query an external server on what modules to require into the game. In case one malicious module was moderated the bad actor could just change the assetid on the server to a new unmoderated module.

Evelucinate · April 5, 2020, 10:36am

I wasn’t told in what context the IP was found.
I believe that it was just somewhere, litterally in the text with no context.

Txppin · April 5, 2020, 12:18pm

I am able to help you with the issue I have more information on who backdoored your game. Contact me via my discord if interested.