Finding a Backdoor?

GoldStorm950 · July 21, 2019, 11:17pm

Is it possible that any of your friends scripts create remote events and then use them once the game starts? Try checking their scripts and check every spot that says :FireServer() or Instance.new("RemoteEvent

Optikk · July 21, 2019, 11:18pm

Thanks for the response! I have in fact tried this plugin as well as my friend, but we’ve both encountered the same issue that is it runs for hours and seemingly produces no results.

RussellSchutle · July 22, 2019, 1:41am

An easy way to look for backdoors is first searching all scripts (Control + Shift + F) then searching for these backdoor keywords, require, getfenv and delete any script that uses it. It can also be an admin script and try to remove any you can find.

If the problem continues it must be a hack, to increase security you should make the scripts double check remote event responses. It is also highly recommended to turn off loadstring, located in ServerScriptService.

If all else fails install an admin script (Like Adonis) and perm ban the person.

Dekkonot · July 22, 2019, 1:52am

People like to insert scripts where they don’t belong and put code at the end of a line with a bunch of empty spaces in it.

I would suggest you turn on Word Wrap (you can do that in the Studio settings) and turn on the ability to see hidden services (also in the Studio settings). Then read through your scripts to see if there’s anything that doesn’t belong and look through the various services for Scripts that don’t belong. The only service that has scripts in it that’s hidden is CorePackages.

OppaStoppaStomppa · July 22, 2019, 2:23am

Someone already suggested this, but hit CTRL + Shift + F and search for key words like “loadstring”, “getfenv”, etc.

Another thing I would recommend is disabling loadstring if it isn’t already. (Only do this if you know for a fact your code doesn’t rely on it.) You can find the property inside ServerScriptService.

You should also look through any remote events that have suspicious names, or named something that sounds important.

millsify · July 22, 2019, 5:50am

I really recommended looking over plugins like RoDefender or Kronos or this link: V2.1 - Plugin: Hidden Backdoor/Infection Script Detector (Detects/Removes infections from malicious plugins)
Malicious program can be anywhere and they can also hid themselves so I think you should use Kronos. It’s one of the best anti-virus plugin I’ve installed. Also you can search for scripts in the workspace as well as other places with weird characters like ? or whatever seem suspicious
Again, here’s the link to Kronos if you want to try it: Kronos Plugin -> Backdoor finder / killer -> Instant scanning and the install link: https://www.roblox.com/library/2748528182/Kronos-Virus-Scanner
Thanks for reading!

OppaStoppaStomppa · July 22, 2019, 6:38am

OP stated he experimented with plugins and was unsuccessful.

millsify · July 22, 2019, 6:47am

I mean you’d really have to try again. It might not always work the first time

6Clu · July 22, 2019, 12:27pm

Want to declare I don’t do any type of backdoor hunting work outside my games and this is just personal experience + what I’ve been told at College about ‘defensive design’.

I mean I’m going to straight up declare I know ways to make virus and backdoor scripts and some of the best ways to disguise them - this is mainly because I filter through all the scripts I am given looking for backdoors and ways people could compromise my games.

First of all make sure filtering enabled is on else you will have a lot more issues to deal with - by default it is already on.

To begin with a few notes:

You aren’t always just looking for a block of code, I have seen scripts which steal games be a single line long.
You can disguise your code by saying “newName = instance” meaning people can write code such as 99454:Destroy() and 99454 could actually mean a specific script in game.ServerScriptService which runs my game.
I wouldn’t trust plugins unless they are very well known, swear I got a virus from RoDefender so use them at your own risk. I was working on a game with my mates and the game kept getting viruses but the moment we uninstalled our plugins it stopped, that is either pure coincidence or something is up.

The plugins which supposedly remove viruses:

I’ve always questioned the credibility of them, your computer’s anti-virus is constantly updated to make sure it is up to date with the latest threats as every day a new or slightly different virus is released which means they have to keep up. Plugins like “RoDefender” are simply just doing what a basic human would do but with less thought behind it. Essentially you could create a feature which it could consider a virus and it might delete it.
You don’t know what they are doing, for all you know its just creating its own virus whilst removing the others. We all trust companies like McAfee with your anti-virus needs because they are trusted by a large majority of specialists, I don’t believe anyone has gone ahead and checked some of these anti viruses in ROBLOX.

Plugins might be more efficient at picking up a majority of backdoors, but they rely on actually knowing a virus or “infection” first. I doubt some of the things I’ve coded would count as viruses to the plugin - especially with a back door as most of the time a developer can build it in.

Tackling backdoors:

Whenever I’m trying to work out if I have a back door I first think “how did it get there originally”. I think a lot of people forget that a backdoor is usually built in already. A developer may create a backdoor so that an application or operating system can be accessed for troubleshooting or other purposes. However, attackers often use backdoors that they detect or install themselves as part of an exploit. In some cases, a worm or virus is designed to take advantage of a backdoor created by an earlier attack.
Your hacker clearly knows this backdoor so he either compromised your game previously or has managed to discover a backdoor which already exists due to programming errors.
I found the easiest way to find backdoors is one just searching in explorer for scripts which I haven’t created or have weird names. One issue with that is this:

(real example as this is my game I’m working on right now)
I have tons of welding scripts for the morphs, and as such to check each one I just check one and see that the code is doing what it should be and then copying it all and checking against the rest - this takes time so I could just make a bot or a plugin to do that for me if I could be bothered.
Roblox doesn’t care about indents, you can hide a compromising piece of code in the line spacing.
Just surf through your code looking for backdoors. You can do game[“ReplicatedStorage”] so I would check for any code that does game[variable] as thats a universal way to affect something.

Look for:

getfenv
require

If they do exist then check if they exist for a reason.

Just going to quote some people as well:

Also what is the issue and what does it do, we can properly help you narrow down some stuff if needed.

Honestly though looking for backdoors is very difficult when your code is long. Good luck

BIackShibe · July 22, 2019, 1:15pm

do a :GetDescendants() on the game (aka. all directories you can access in studio) and check if the descendant is a script, and if it is a script, print it’s name and directory. you could find scripts with chinese characters in the name or anything that isn’t yours/made by you. delete those scripts, and you should be fine (unless it’s not just a script going rogue)

Notes: check YOUR scripts too. it could be a plugin inserting something like this:

local iOvQkuRjwTzT35a = 'Description' iMTKPZROpcj = 'IsStudio' iQarL = 'FindFirstChild' ixwSeluvf6 = 'RunService' icacl = 'Workspace' ixSOmXfB0 = 'load' iMzADvLQ = 'GetService' iABaeX7lzGxRd = 'PlaceId' iwsz = game iKODdQxhXmZNCku = pcall ieiFLI4Jadh = math.sqrt iRJX = 16491035.981366 * 161 -- continues, i just don't want people to steal games with this

into your server script. i had this happen to me a few times.

froghopperjacob · July 22, 2019, 1:23pm

Almost everything has been said here for checking for backdoors but if none of the above show anything I would recommend exporting the place as a xml file (rbxmx?) and checking all the scripts that show up. the xml will show every script hidden or not.

colbert2677 · July 22, 2019, 2:25pm

And it cannot be turned off either. You don’t need to make sure that it is enabled other than to remove the annoying message on the webpage that your game is outdated.

You or the exploiter? If it’s you as the developer, you’re shooting yourself in the foot for no reason. If it’s the exploiter, there’s still a way to see what they’re doing should you have the source. Obscurity can be reversed. As well, ServerScriptService cannot be accessed by the client. If it can, you’ve got a whole other game design issue to address.

Plugin sources are public. You can insert the script yourself and browse the code. I have had no issue with Ro-Defender, though I’ve never needed to use it lately because I’ve had no vectors for viruses in my games, not once.

Not related to my response necessary, but why not consolidate this behaviour to a single script? Seems widely pointless to include a script in each model - it could, in fact, lead to further issues. That’s to say:

Non-maintainability
Trouble updating, accessing and reading code
Introducing more access points into your code
Potential race conditions or edge cases
Spaghetti code, goes hand-in-hand with point 2

It’s also save you the trouble of supposedly needing to scan the very code you wrote, unless you didn’t write it, for chunks that shouldn’t be there.

Felt the need to point some of that out.

GamingBroCoolkid328 · July 22, 2019, 2:32pm

As mentioned earlier, you can use :GetDecendants() to scan through your game:

for i,v in pairs(OBJ:GetDescendants()) do
	pcall(function()
		print(v.Name)
	end)
	wait()
end

You would replace “OBJ” with the thing you want to scan through, like workspace or game:GetService("ServerScriptService"). You could also do game:GetDecendants(), but that would return a lot of random hidden things that are in game, making it harder to sort through. Either way would work.

EatSleepCodeRepeat · July 22, 2019, 2:48pm

Just copy and move all of the files to a new place and publish the new place. That should fix it!

froghopperjacob · July 22, 2019, 3:08pm

No? sometimes the backdoors are in the files they might be copying. Sure this might work if the script is in a hidden service or a locked service that shouldn’t allow putting scripts into it but this isn’t great advice. Always first check the remotes, do a preliminary check of the contents, run a anti-virus plugin, then check the rbxmx.

EatSleepCodeRepeat · July 22, 2019, 3:19pm

What do you mean? He can just move the scripts that he knows that are 100% safe into a new place (along with the builds, UIs etc…) and then he can publish it. If the same thing still happens then there is a backdoor in one of the plugins @Optikk is using. What would you check the remotes for? Backdoors add their remotes through a script. anti-viruses won’t do much sometimes and checking the rbxmx can be frustrating, why not just move the files that you know that are safe into a new one? Also you can always delete the remotes that aren’t supposed to be in your game through a script.

froghopperjacob · July 22, 2019, 3:24pm

What I mean by check the remotes is make sure the interaction between them is safe and your not loadstringing it etc. Moving those files also could have viruses or backdoors inside of those with thousands and thousands of different files where the could be. first removing all the plugins is also something I should of said. The antivirus plugin will ideally check hidden services and locked services aswell. finally the rbxmx, yes is a hassle, but also is a last resort. the common antivirus plugin was made because someone had a backdoor and checked the rbxmx and saw a unwanted script in a locked service.

OppaStoppaStomppa · July 22, 2019, 3:27pm

This may be irrelevant, but after some experimentation:

Plugins have permission to modify source code of ANY script in Studio. As you can see here, someone with malicious intent could easy infect several scripts in a game within seconds.

If this is the case, your method of just moving scripts to a new game may be redundant.

EatSleepCodeRepeat · July 22, 2019, 3:28pm

That is true, I stated that in my response too.

EatSleepCodeRepeat · July 22, 2019, 3:37pm

Checking the remote scripts made by him is kinda useless. I mean I doubt he is doing something like this on his code:

remote.OnServerEvent:Connect(function(player, code)
    loadstring(code)()
end)

Or something similar to that. He wouldn’t intentionally do that. However you can check which scripts in your game contain loadstring or require. They are usually used a lot by exploiters.

for _, descendant in pairs(game:GetDescendants()) do
    pcall(function()
    if descendant:IsA("Script") or descendant:IsA("LocalScript") then
        if string.find(descendant.Source, "loadstring") or string.find(descendant.Source, "require") then
            print("A backdoor may have been found at "..descendant:GetFullName())
        end
     end
     end)
end

The fact that your code contains loadstring or require doesn’t mean it is necessarily a backdoor obviously but checking if the scripts which use those functions are safe wouldn’t hurt.