Yesterday I was helping to host an event that I developed and was threatened to have my game “bombed”, at 11:00 I was given the news that an exploiter inserted the TNT gear and killed everyone while destroying everything that was unanchored such as rollercoasters. I checked my game for backdoors searching for everything that does a :require() function, and I also used Kronos Virus detector to no avail. What can I do to fix this? I have Adonis Admin which I made sure was the official. None of my plugins seem to be suspicious. I would greatly appreciate the help.
1 Like
Don’t use free models, use filtering enabled, and follow good development practices.
Just based off of the fact that you’re using Adonis Admin and Kronos Virus detector, your game is probably not secured very well.
1 Like
Do you have any remotes that allow users to insert items?
Isosta’s point.
Also, check your RemoteEvents and anything related to client-server communication that may give lee-way to be abused.
No matter what you do, if an exploiter wanted to, they’d be able to use your Client-side remote events to send things to the server, it’s your job, or your scripters job, to make this more difficult to do or counter it.
Never trust anything from the client - all data checks etc must be done from the server.
No, my game does not use remotes.
I quite literally can’t find any form of anti exploit that doesn’t do anything Adonis doesn’t.
Huh, that’s weird.
The only possible reason I can see this happening is a backdoor you didn’t find. Perhaps someone is abusing their admin?
Even if your game doesn’t use remotes Adonis Admin uses remotes (pretty sure) so exploiters could be using that to get through. It’s possible that there’s a vulnerability with that admin that exploiters found out. I’d get rid of that to be safe (assuming it’s the only free model you have) and see if the exploiting reoccurs.
Make sure FilteringEnabled is on as well.
Adonis is one of the largest admins you can get, I don’t see this happening on other big games that’s use it
I checked logs and admins, they were not given the gears.
Ruling out admin abuse, a backdoor seems to be the only possible way they could insert the gear. Have you used any free models?
Personally I didn’t add any free models, but the other developers may have. I still have not found any backdoor.
you can go into studio settings and enable something in the lines of “show hidden services”, which basically shows all hidden services in the datamodel
there has been a few cases of a backdoor located in NonReplicatedCSGDictionaryService, please check for any backdoors there, the backdoor being injected from there is “sirhurt”, which is a common backdoor.
Do I check for these backdoors while running the game?
no, because some backdoors removes itself on runtime.
2 Likes
Please read the actual conversation before posting, the guy did attempt to run that “backdoor detector”. 
I searched through all of the hidden objects, there is no scripts out of the ordinary
eliminating hidden services/scripts, free models… are you sure there is 0 remotes in the game?
Yes, my game relies on no remoteevents, especially none that would be exploitable to the point of giving the player a gear.
how many developers are with you? because everyone who has edit access to the game, can use the devconsole, which allows you to have arbitrary code execution, which can give players gears, basically anything a normal serverscript can do.