Chances are if you’re here, your game may currently be infected with malicious scripts or plugins, or in other words, hacked. If that’s the case, keep calm! It generally can be resolved fairly easily. I’ve seen a great deal of these threads recently, so I’ve formulated this guide to help 
. Let’s get started.
Update: July 2020
Ok, I lied; before we begin, I’d like to talk about a few changes in terms of third-party permissions since I wrote this. Roblox has since implemented options for disabling third-party sales & cross-game teleports as well as plugin HTTP requests. There’s some more info below in the respective spoilers which I would recommend taking a look at if you’re suffering from related problems; otherwise, back to the tutorial!
Third-Party Sales & Cross-Game Teleport Settings
As you can see in the image below, Roblox has added two new options to the Security tab of Game Settings! These options allow you to disable purchases from anywhere that isn’t your game as well as teleports to anywhere that isn’t a sub place of your game.
If you have no use for these features, it’s a good idea to disable them as an additional layer of security. Say goodbye to random purchase prompts and teleports in your game! That being said, if you are experiencing things like these examples, you should not simply disable these options and be done. You should disable them and follow the rest of the tutorial to remove the malicious content from your game.
Plugin HTTP Permissions
Roblox has also implemented plugin HTTP permissions (not to be confused with game HTTP permissions) which prevent plugins from making any requests to the internet. On the first occurrence of said action, you’ll see a prompt like this from Studio which you can accept or decline.
Following the initial action, you’re able to change your decision anytime in the Plugin Management window.
1. Locating Malicious Plugins
If you believe your game is infected, the first thing you should do is verify all of your plugins are legit and not interfering. If you miss this step, everything else later on is pointless since the plugin can continue to replace the backdoor at any time. To access your installed plugins:
-
Open Studio
-
Click on the Plugins tab
-
Click Manage Plugins
Once you’ve got to this list, scroll through all of them and remove any you don’t recognize. Even if they look legit, make sure they’re not a duplicate of the original one. Some plugins have a thread here on the DevForum; try searching for it if you’re unsure. Also, make sure to double-check that the creator’s names match! As Display Names are now a thing, make sure to avoid getting fooled by someone impersonating someone else. Tip: You can click on the creator’s name to reach their profile page.
If you’re still uncertain, you can also visit the plugins page on the Roblox website and search for the plugin. With the results, you can determine whether you may have installed a duplicate.
I would also recommend that you go through the source of your plugins and verify they’re safe. I’ve written a guide on this here:
2. Locating Malicious Scripts
Now that you hopefully are free of hostile plugins, it’s time to find everything they could have inserted. There are multiple ways of doing this, so here are some of the most commonly practiced ones:
- Option 1: Printing All Script Instances & Identifying Rogues
This is a general starter used by most and it’s pretty simple. A small command is run to scan the place for all script instances, then their name and ancestry trace are logged to the output. Such a command looks something like this (change the ‘LOCATION’ to wherever you want to scan; like workspace for example):
for _, instance in ipairs(LOCATION:GetDescendants()) do if instance:IsA("LuaSourceContainer") then print(instance:GetFullName()) end end
After running this, you can survey through the results in the output window for unexpected scripts. All Scripts, LocalScripts, and ModuleScripts all inherit the LuaSourceContainer class and it scans all descendants of the defined location, so it’ll find everything! Here’s a quick example I whipped up:
Try to run this on as many services as you can, you used to be able to scan the entire game, but such functionality has been restricted. Make sure to check CSGDictionaryService!
- Option 2: Using an ‘Anti-Virus’ plugin
Another method that is fairly widely used, especially by those less knowledgeable in scripting is backdoor scanning plugins. There is a wide variety of these created by other users, so a simple search like backdoor scanner or malicious script scanner yields many results. I won’t go very in-depth here as they are all quite different, so I’ll let you explore. Some reputable ones based on those search results are:
Kronos by @WhitexHat
Hidden Backdoor/Infection Script Detector by @Christbru01
- Option 3: Using Studio’s Builtin ‘Find in all scripts’ Feature
This handy feature is built right into Studio, and while it has fewer use cases compared to the above two options, it can still prove quite helpful. Say the malicious script is prompting random purchases in your game, you can find all the scripts where MarketplaceService is referenced. Press Cmd/Ctrl (Mac/Windows) + Shift + F to open it.
Other than that though, it can be hard to know what to search for. Some common terms include: string.reverse, string.byte, require, and getfenv. Most crooks use a variety of things to ‘hide’ what they’re doing (obfuscation) so this option isn’t often too helpful.
- Option 4 (Last Resort): Showing All Hidden Classes in the Explorer
If you still don’t find the culprit, it’s time to resort to more intricate measures. Start by opening Studio’s settings (File > Settings) and selecting the Studio tab.
Scroll down most of the way until you come across these settings:
Enable “Show Hidden Objects in Explorer”, “Show Core GUI in Explorer while Playing”, and “Show Plugin GUI Service in Explorer”. The Explorer should now by flooded full of every class implemented by Roblox. A general place to inspect first is CSGDictionaryService as bad scripts are often placed there since it’s generally hidden:
As you can see, I gave myself a BadScript. If you do manage to find anything here that isn’t MeshData (be sure to check children if there are any), it’s very likely the culprit. Remove it and test your game to see if the problems have been resolved. If they unfortunately haven’t, try starting at the beginning of this topic and make your way down again. After multiple attempts without success, you could also reply below and we’ll help you out.
3. Preventing Problems in the Future
In the future, you can work to prevent such circumstances by operating under these basic guidelines:
-
Only install plugins from well-trusted sources, otherwise thoroughly verify the source code before installing.
-
Limit the use of free models, and if you must use them, check for scripts when inserting.
-
Don’t use scripts from random people on the internet; the DevForum is generally safe, all public topics can be seen by anyone so bad actors would get caught real quick.
-
If you are working in Team Create with others, be sure everyone follows these guidelines. If one person has a nasty plugin, it’s like everyone does.
-
If you’re ever unsure, ask. While it may seem like a dumb question, it’s much better than having your game compromised.
4. Conclusion
This ends the informative portion of this post, so I’d like to request any strategies that you use or anything else that isn’t stated which you believe would benefit others in situations like these. Once again, if you’re having trouble, feel free to post below for help. Thanks, and safe developing!
