Exploiters are ruining my games

Hello! Wish me welcome to the Developer Forum because this is now my first post :stuck_out_tongue:

Anyways, I have been trying to cope with exploiters regarding my games, especially the big one releasing soon. However I haven’t gotten any further with this problem. I tried reaching out to ROBLOX via email, but they constantly told me to report the exploiters, which doesn’t have much effect on my games at all.

All of my games are FilteringEnabled, and are scripted entirely by me. I do not have any admin commands, and I use all of my Remote Events securely (as far as I know). I have tried checking the type or ClassName of every single argument sent via RemoteEvents from the Client to the Server, to “eliminate” any injections through these. LoadString is also disabled. I have basically tried everything I can at this point and I really need your help.
Exploiters keep joining my games when I run ads, inserting admin commands, spawning in models, kicking people, banning people, ruining the map by exploding large chunks of the terrain. They even leave code that makes you teleport to another game, and then back to my game. This results in players leaving my games as well as disliking them.

Also, how is this even possible? I thought FilteringEnabled made Client-changes visible only for the client? I think there has to be a breach into my server-side Scripts?

9 Likes

This is correct. Nobody can spawn game-visible models/assets in from the client.

The only way somebody is joining your game, spawning things in without server console access, is a backdoor or exploitable Remote. You should look for any backdoors from plugins or free models. Look at all “Scripts” in your game. There must be something allowing people to call server side code from the client.

5 Likes

I believe this plugin can help locate those:

1 Like

I’m 99% sure this topic here might lend you a hand! Be sure to check it out when you can!

1 Like

Does your game possibly have a backdoor (server access with exploit)? you could have gotten one through plugins, models and any downloadable assets, if not, I don’t see how exploiters would be deleting terrain and such unless you had a remote event to do so.

Yes sir, I have already done this. There are no Scripts that are not made by me in the game. Also, I tried adding server-sided checks for each argument sent via RemoteEvents, for example:

event.OnServerEvent:Connect(function(player,target,forward)
if player.ClassName == "Player"and typeof(target) == “Vector3” and typeof(forward) == “boolean” then

The only free models I have been using are trees and bushes and such, and there are no Scripts inside these anymore. And there are no RemoteEvents which can access the Terrain in any way.
Yeah I also believe there has to be a backdoor somewhere but I really have no idea where. I have downloaded a few plugins such as Custom Character Creator and Custom Animation Editor, but does these affect my game?

These types of checks aren’t enough to stop somebody from exploiting them. This literally just guarantees they are not sending the wrong information. You need to implement checks that guarantee the user calling the remote is doing so properly, and the action only happens if it’s supposed to.

Is loadstring enabled in your game? (I am just curious) Loadstring is a security vulnerability that can be disabled by going to serverscriptservice and turning it off.

1 Like

I see, but can exploiters fire code that insert models and such through these arguments? All the server-side Script does in this case is to handle user input (target equals mouse position, forward equals pressing the W-key).

1 Like

I have disabled LoadString :slight_smile: :slight_smile:

1 Like

These are some examples, quoted:

1 Like

Thanks for the tip! I just did this and no backdoors were detected :frowning:

It’s impossible to do any of the exploits you are listing if loadstrings and backdoors aren’t available, the only possible way for this to happen is for one of your remotes to be very abusable

3 Likes

WOA! What Admin command service do you use? Mabye it is backdoored? Or do you have a free Antiexploit tool like AV-Protect or GameGuard? Popular free model antiexploits tend to have backdoors in them if they use require(AssetID). I have seen TONS of them that contain it.

1 Like

There are no Admin Command Scripts in my game, nor anti-exploits

1 Like

Oops sorry. When you said:

I thought you ment that you already had an admin command(s) service.

If what you say is true, all scripts are made by you, yatta yatta no free model trees have scripts, blah. Then, the only logical explanation is the plugins you use. It’s a very rudimentary form of injecting backdoors, but can be done without notice to the owner. The best thing you can do is check each and every one of your plugins’s source to make sure no module is being called. Otherwise, what you say is false and there is indeed a backdoor script hiding in your game.

6 Likes

Yeah, I have checked every single Script and LocalScript in my game, and LocalScripts are granted absolutely no power. Only the server-sided Scripts are executing important code

Do you have any remotes that can be fired from the client that execute code on the server when the server pickes it up?

1 Like