Someone somehow put a backdoor into one of my games and it’s nowhere to be found. This method did not work on finding it either. I’ve checked all of my plugins everything. It’s a small “Interview Center” type game for a group I develop for. There’s no remote events so it’s not a vulnerability or security issue with my code. No infections have been found when I use Christbru01’s hidden script detector either.
edit: I can’t really find the backdoor anymore because I no longer develop for that group, but if you want to still post solutions for other people that may stumble upon this thread, that’s fine too!
Yeah I’ve done that. As I said, there’s not many scripts in the game either. The only scripts that are in the game are in ServerScriptService and there’s only like 4 scripts total there so… I’ve asked a few of my buddies to help find it but no luck either.
That only thing I could think of would be the admin system. Rn they prefer to use TheFurryFish’s admin system. We made sure to switch to the module plain module instead of requiring it from the website (its open source) but the exploiting still persists and TheFurryFish is a trusted user so.
Try updating my plugin. I just updated it so it will now find the infection from that plugin and remove it. (V2.0.8) The exploit creator got creative and injected a ModuleScript into an odd place where I assume it is still being executed for some reason. Either way I added in modulescript (and localscript) source scanning as well as added that particular infection to the known infections list. Should be able to detect and remove it now.
It still can’t find the infection so rip. Ik there’s a backdoor in the game because the exploiters stated it themselves and have been doing things like spawning in tornadoes or shotguns so I’m honestly stumped at this point. Maybe it’s a vulnerability that they recently discovered with Roblox idk. I checked my plugins. I’ve checked other dev’s plugins. Nothing to be found.
Do you (or possibly another dev if it’s a group project) use any free models? One might have inserted that came with a script with a backdoor hidden away.
When I can’t find something and I have a minimal amount of scripts, I put a single period in the Ctrl + Shift + F menu. Almost every script should sport a period unless it only has something like a require. If that doesn’t work, I transfer things over to a new place file and overwrite the old one (I manually move builds, then the scripts I knowingly created).
Be sure to check your plugins and the XML data of your place as well.
Yeah, it’s getting pretty bad on Roblox. Ever since FE was forced, exploiters decided to join the backdoor scene and find ways to secretly put backdoors into developer’s games.
The discussion has stayed on-topic. We were discussing backdoors in games and this thread is about one.
Anyways, no. I have not found a solution to the problem. I actually stopped developing for the group just a few days ago due to reasons I will not discuss but yeah. Currently no solution. Not really a way to find a solution at this point because I do not have access to the game anymore.
Just a friendly reminder, though you may not have needed it. You never know; someone might continue responding and it may turn into a discussion of FE rather than attempting to address the original post (the inability to find a backdoor).
Sorry to hear that you’ve stopped developing for said group.
In any case, I still find it strange that the backdoor was unable to be found despite most or all viable options being listed here for usage. Perhaps that might require some reinvestigation sometime by those still developing for the place - could potentially be an oversight.
Has this problem occurred for you in any other games?
No, this has not occurred in any other games of mine personally. I talked with a new developer at the said group and he said he couldn’t find a backdoor either but exploiting was happening. So I really don’t know at this point. It could perhaps of been a huge oversight even though I searched for every script that uses require and getfenv using Roblox’s Find Result feature.
Christbru01 and a couple other developers at a group I have done contract work encountered a similar issue that you’re experiencing. The tl;dr is that these exploiters use a crude method to hide executing code in robloxlocked services. It’s fairly trivial to delete with the plugin.