Your admin commands are probably the vulnerability here. Check those over maybe?
Do you have an admin suite in your game like adonis? I know adonis had a backdoor a while back granting creator admin to anyone that ran a specific set of code.This caused people to do essentially what you are saying is happening with the teleporting and other commands being ran. This backdoor was patched however it is also possible another was found.
There are quite a few plug-ins that can scan your game for viruses / backdoors:
Backdoor Scanner/Remover - Roblox (I don’t know how trusty that one is so… maybe don’t use it)
https://www.roblox.com/library/2748528182/Kronos-Virus-Scanner (Kind of broken
but is still worth a try)
Also don’t use free models… just don’t . Make sure there are no scripts in your game with: require(The_Argument_In_Here_Does_Not_Matter)
, and make sure there are no scripts in your game with getfenv(The_Argument_In_Here_Does_Not_Matter)
. Make sure there are no scripts in your game that you have not created / don’t know what they are. Also… Be sure to post the malicious code here so we can determine weather or not it’s suspicious. And please… make sure there is nothing in your game with very odd names.
And, a bit more advice here: Don’t EVER use models that claim they are anti-exploits.
Forgot to mention… Could you post an image of all the plug-ins that you have installed in your game (If any)?
I appreciate all this advice, I’ll definitely look into the admin commands and work on my own to replace the one I’m currently using (Adonis). FYI Loadstring and HttpService are disabled.
I’ll also see if I can post an image of my currently installed plugins. I’ll continue to go through them and see what I can do.
@DragRacer31
The first plugin you linked is an obfuscated script, most of the time they are backdoors.
@Radiakk
I suggest using the newest version of Kronos, which you can find here. (link)
I also stated the following:
30 Characters
Sadly, all the anti exploit plugins that I had installed, months ago, did nothing with an obfuscated script…
One thing I’ve done is create an array built with all the script names of scripts I allow in the game, and it runs on a threaded, infinite loop to make sure no differing scripts are running, anyplace in the game, at any time… at least in this beginning testing phase while I script the game, apart from the map. I’ll scan the map and any free models I use, separately for scripts, in a place of their own, apart from my main code. I’m getting paranoid now. lol
I’m paranoid already.
Can I have a copy of your ‘check all scripts running’ fix and how did you create the list of scripts array?
If the exploiters are still persistent in bugging you, why not ask a fellow developer to look at your game’s scripts? Sometimes having a second set of eyes to look at your code helps.
I also advise you try to clear all the rank records from your admin script’s database, and maybe replace the admin loader you have with the official copy again.