Exploit able to shutdown server immediately upon connecting, without a character

Starting from early this morning, my game has almost grounded to a halt from a usual 200-300 concurrent user count due to a single person being able to crash any server they want immediately as they join the game. I’m aware of two recent threads detailing server crashes, one of which (right grip replication) affected my game and was patched a month ago and more recently patched officially by Roblox. The other thread mentions abuse of the chat and certain chat commands, however, my game does not have any chat commands.

My game has an account age requirement, and this player does not meet that requirement so is kicked as soon as they join. This is the very first check that is made upon a player joining the server in my OnPlayerAdded function:

local function OnPlayerAdded(player)
	print("[" .. player.Name .. "] Player added")

	-- They are crashing between here and the age kick
	
	if player.AccountAge <= ACCOUNT_AGE and not RunService:IsStudio() then
		player:Kick("Accounts under 30 days old are disallowed from joining.")
		return
	end

To diagnose, I have sat in the server watching server output while my remote wrapper was in debug mode (to print firings before executing code connected to that remote), I also enabled logging of any .Chatted events to see if I was the target of the latter thread I mentioned earlier, as well as, workspace.ChildAdded logging. I also note that my game manually spawns characters in via :LoadCharacter() so this crash is happening before their character even spawns.

This is the last bit of server output before the crash happens (client output shows nothing):


As you can see, the only thing visible is the player joining, a few normal expected remote firings and that’s it. The disconnection modal is shown as soon as the server output stops populating, which is unusual compared to the RightGrip exploit from a month ago where the modal didn’t appear after what appears like a timeout period.

My game has no third-party scripts apart from an open-source library imported in via git submodules and Rojo known as Cmdr (I’ve tried without Cmdr and server still gets shutdown). I’m really at a loss as to what’s happening here and even if it’s in my control, thus why I’m posting in this category.

I’ve also just been able to get the person to follow me to another unrelated game (that has little to no scripts) and this was shut down in exactly the same manner. This must not be restricted to my game.

Our game is getting hit aswell, is the user in question joining on what appears to be the same account in multiple servers?

The guy crashing our servers is this guy right here, even though we permanently banned him:

Yeah, the person is able to join and crash regardless of any checks or moderation systems that kick them upon joining. So we end up getting the same account going around to all of the servers and crashing them.

I’ve outlined symptoms similar to this situation in this post here, however I feel as though the exact situation is unrelated. Crashing exploits like this one are virtually undetectable and you can’t even connect long enough to analyze the server or client.

Just like you’ve stated in your OP, his character doesn’t even load in and immediately crashes the server. This is the exact symptoms we’re experiencing and he can join regardless of ban status. Let me try and hard ban his account and see if it does anything.

Update:

I was able to track him joining but immediately as it showed up that he joined it crashed, despite the fact that it immediately kicks him from the game:

This is the code I used to kick him and it does nothing but it still does detect him joining…

Note: He is permanently banned on my admin system as well.

8 posts were merged out

This is not ROBLOXCRITICAL according to the guidelines.

Please discuss here if you think otherwise: Broaden the spectrum of ROBLOXCRITICAL posts

I looked at the exploiter’s bio and it says ‘Cheat Engine can do godly things,’ which i’m assuming is a hint that he is using an external program like Cheat Engine, just a guess though

I went ahead and disabled every single server script and also cleared my ReplicatedStorage (deleted all of my remote events) and the crashing still persists, leading me to believe this is in fact a deeper engine issue rather than a game specific issue.

I can’t stay connected long enough to even log what happens when he joins as it just immediately crashes with no trace. The only running script is the ChatServiceRunner, which even then has no interruption or spike in activity before or after crashing.

Edit: Could this possibly be abuse of the default chat scripts? I’ve seen a few scripts abusing game.Players:Chat() before with extremely long messages and it’s been proven to take down servers but again, ChatServiceRunner has no spikes in activity which is strange… this could be an unrelated issue.

Yeah I tried logging .Chatted (game.Players:Chat() triggers it) in my OP screenshot of the server output and you can’t see anything. I also looked at the ChatServiceRunner activity after the crash and didn’t see a spike.

The exploiter in question is targeting multiple games at once and completely crashing all of their servers. Club Iris (my game), the OP’s game, Custom Duels, and Group Recruiting Plaza are all confirmed to be experiencing total crashes. Relatively popular games with big and small server sizes which rules out server size as a potential cause.

Proof that once again, he appears to be using one account or identical accounts crashing all my servers:

image877×857 484 KB

Attempting to join any of the games listed above immediately freezes on the loading screen and doesn’t let you connect:

image1919×1018 70.5 KB

image1919×1014 103 KB

Custom duels closed their place but experienced the same symptoms upon joining as these two games had. Freezing on the loading screen and not able to join any servers.

This looks like a big issue. If roblox events can’t detect him fast I don’t know what will.

Set up a lobby that handles joining. Kick them from that server if they’re banned before redirecting them to another server via the universe system. They’ll end up crashing the other server instead of the actual one. That way they can’t do a crash on join unless they crashed on join for the other server.
Temporary fix, but it should stop on-join crashing if they are banned.

This is possibly some next level exploit that can be extremely malicious. Bug bounty might be needed to check what the exploiter is abusing in order to crash the servers.

The root cause here seems to be RCC crashing and thus kicking players, which implies logs are being sent to Roblox each time this happens. The more they do this, the easier it is for Roblox to track down the issue. For now, this is internal behavior that doesnt seem preventable.

I’ve been having problems with my game - Getting this result:

Screenshot_90953×612 187 KB

I figured ROBLOX is having a major engine bug currently seeing I went to other games like British Army’s “Army Simulator” and “Fishing Simulator” and they’ve had the same exact sort of crashed.

So I’m not sure if this relates to this, but if that’s going on along with a major engine bug - some serious fixes need to be worked on immediately.

This is my game - we usually have 60-100 players in game consistently, now we’re seeing a lot less with all of these frequent crashes.

The exploiter doesn’t appear to be crashing your game. You’ll notice a purple guy repeatedly joining your servers and crashing them rather than them crashing on their own.

Well then there appears to be a huge bug with ROBLOX servers crashing in general. Been going on for the past couple hours. I submitted an “Engine Bug” report - but as usual, my post has not been approved.

I also reported a bubble chat bug where people’s bubble chat will often glitch and not disappear, that was also not approved.

Not to bash on community moderators / volunteers, but I really wish they’d be more on top of approving these post’s to help get them solved much faster.

I can confirm this method works and matches our use case almost exactly. How do we alert Roblox to this issue? This does appear to be the script the user is using.

There’s no other way to alert ROBLOX besides via email support, however support isn’t fast on responding back via Email, so nothing we can do about it…

What about the Exploit Reports group? should I send a ticket in with this code snippet?