Exploiter can crash my servers

So recently I’ve been pinged by my staff because exploiters are apparently crashing my game and I’ve talked to one of my staff them and they gave me this script:

_G.runScript("require(519098437):Clone().Parent = game.ServerScriptService")

I’ve searched my game with anything “_G” or with “_G.runScript” but nothing bad came up and running it in ROBLOX Studio doesn’t work, the module/script itself is off-sale and as far as I know, require() won’t load off-sale items. This has honestly given me a headache as I can’t for my life can’t figure out how this is happening, it DOES work in-game though I asked one of my friends to execute it in-game and apparently it does crash the server or lags it until it crashes it, I’ve also tried searching around the dev forums and some exploiter website but all I found were patched scripts.

Please give me any information or help on this as I am losing players and my game’s reputation is being ruined slowly.

EDIT: Picture

Were you looking through the explorer window?
_G is actually a lua global. It is a table which is shared between all scripts of the same context level. Check this out for more info: Lua Globals | Documentation - Roblox Creator Hub

No, I used Command + Shift + T [I think CTRL + SHIFT + T for windows users] to search through everything.

Wait so you looked through the roblox files? I’m gonna try reading _G

Roblox files? No? Command + Shift + T looks through all of the scripts in the game.

A band-aid solution might be to constantly listen for new children of serverscriptservice and kill them :confused:

Surely there aren’t alot of them occuring after initial setup.

I just realized that the client can’t access ServerScriptService but the admin I talked to keeps saying that it does work. I’m pretty sure thats impossible right?

Can your staff execute commands in game? I found out that _G is a global table that all scripts can access. I think that there was perhaps a run script in _G which cloned and then it was put into the server script service. My only solution would be to add a script and make it like this:


I think client can access server script service because it is still in the game.

Uhh, I don’t think they can as I removed the command to execute scripts in Kohl’s Admin.

How? The client wouldn’t have access to the server’s _G table, so they can’t require by an assetId nor access something placed there, that’s already a flaw in itself.

If they’re putting this into an injection UI or runScript is in the client’s _G table that in turn passes the string to be ran via the server, that’d make more sense which it’d be safe to say you have a backdoor, one where exploiters can pass arbitrary code to your server.

You better check your plugins and your game environment, especially in hidden objects. You can unhide the hierarchy of your game via the toggle in Settings > Studio and look for malicious-looking code that you didn’t write.