Exploiters are running rampant in my game

Empty! Nothing is in the plugins folder, quite strange but I’ll try to remove them again…

THere’s two directories - Plugins and InstalledPlugins

Disable the plugins if you haven’t tried, try reinstalling studio if the problem persists.

Okay what worked for me was not just deleting them from the folder, but deleting them by clicking the red X in “Manage Plugins”. Otherwise I think the plugins get merged into some master plugins file and what’s listed in the plugins folder is just some copy… because I had the same experience - the plugins were still there even after deleting them from the InstalledPlugins folder.

I’ll definitely try to remove all the plugins, thank you
How would this actually work though? would removing my plugins remove any malicious code injected by said plugins?

You may have your game saved with the code, so you’ll still need to do a thorough scan and maybe check every script that’s listed for any code that’s not yours.

I had an issue with a tree model, that had a very sophisticated script trying to send my whole place to some http server using the HttpService. I didn’t notice it till I had 1000 copies of the tree in my place and the HttpService got throttled and thew errors.

I’m writing / creating a huge game, that I’ve already been working two months on, and would hate to just be giving it away like that.

Have you considered that the backdoor may be embedded in one of your scripts? Plugins can edit the source of scripts so would be a good idea to search in every script (if you haven’t already done this).

Id look for any scripts that have loadstring() in them, if it isnt yours Id suggest doing something with it.

The plugins folder is for internal plugins and manually installed ones, while InstalledPlugins is automatically managed by the Manage Plugins window and corresponds to what you install from the website. The former is less likely to have any backdoor-based problems since it rarely gets used.

Just throwing this around in case there’s any confusion.

They’ve teleported players to a seperate game, played audios that I couldnt :Stop(), forced me to chat things (like :admin all) and it was really bizzare.

Have you inserted any “Admin Command Scripts” in your game? This sounds like the admin script may be vulnerable to exploits.

Your admin commands are probably the vulnerability here. Check those over maybe?

Do you have an admin suite in your game like adonis? I know adonis had a backdoor a while back granting creator admin to anyone that ran a specific set of code.This caused people to do essentially what you are saying is happening with the teleporting and other commands being ran. This backdoor was patched however it is also possible another was found.

There are quite a few plug-ins that can scan your game for viruses / backdoors:

Backdoor Scanner/Remover - Roblox (I don’t know how trusty that one is so… maybe don’t use it)

https://www.roblox.com/library/2748528182/Kronos-Virus-Scanner (Kind of broken
but is still worth a try)

Also don’t use free models… just don’t . Make sure there are no scripts in your game with: require(The_Argument_In_Here_Does_Not_Matter), and make sure there are no scripts in your game with getfenv(The_Argument_In_Here_Does_Not_Matter). Make sure there are no scripts in your game that you have not created / don’t know what they are. Also… Be sure to post the malicious code here so we can determine weather or not it’s suspicious. And please… make sure there is nothing in your game with very odd names.

And, a bit more advice here: Don’t EVER use models that claim they are anti-exploits.

Forgot to mention… Could you post an image of all the plug-ins that you have installed in your game (If any)?

I appreciate all this advice, I’ll definitely look into the admin commands and work on my own to replace the one I’m currently using (Adonis). FYI Loadstring and HttpService are disabled.

I’ll also see if I can post an image of my currently installed plugins. I’ll continue to go through them and see what I can do.

@DragRacer31
The first plugin you linked is an obfuscated script, most of the time they are backdoors.

@Radiakk
I suggest using the newest version of Kronos, which you can find here. (link)

I also stated the following:

Sadly, all the anti exploit plugins that I had installed, months ago, did nothing with an obfuscated script…

One thing I’ve done is create an array built with all the script names of scripts I allow in the game, and it runs on a threaded, infinite loop to make sure no differing scripts are running, anyplace in the game, at any time… at least in this beginning testing phase while I script the game, apart from the map. I’ll scan the map and any free models I use, separately for scripts, in a place of their own, apart from my main code. I’m getting paranoid now. lol

I’m paranoid already.
Can I have a copy of your ‘check all scripts running’ fix and how did you create the list of scripts array?

If the exploiters are still persistent in bugging you, why not ask a fellow developer to look at your game’s scripts? Sometimes having a second set of eyes to look at your code helps.

I also advise you try to clear all the rank records from your admin script’s database, and maybe replace the admin loader you have with the official copy again.