Hello, so while checking out my friends game that was infected with a backdoor I found a script that was linked to a LinkedSource that has been renamed/deleted this prevents you from opening the script at all so you have to print out its contents.
I printed out the source using the studio command bar and this was the output:
local env = {
WaitForChild = function(self, name)
if not game:service'RunService':IsStudio() then
return 4230045453
end
return script:WaitForChild("ModuleScript")
end;
}
local script = env
local module = require(script:WaitForChild("ModuleScript"))
The module it was requiring was updated to be offsale.
Exmaple of what it looked like while trying to open the script:
When you try to search for require using Ctrl + F it looks like a normal require as seen below
I created this code to check if scripts inside your game has a modified LinkedSource on it and I created this post to spread awareness on this new method of hiding malicious code.
The code to run in your studio command bar:
local check = function(inst)
return inst:IsA('LuaSourceContainer')
end
local scripts = function(inst,i)
for i = (i or 0) + 1, #inst do
local instance = inst[i]
local success,result = pcall(check,instance)
if success and result then return i,instance end
end
end
local Locate = function()
local infected = {}
for i,v in scripts,game:GetDescendants() do
if v.LinkedSource ~= "" then
print(v)
infected[#infected+1] = v:GetFullName()
end
end
if (#infected ~= 0 and infected ~= nil) then
warn("[!] A suspicious script with LinkedSource has been located")
return print('["',table.concat(infected,'"] = true; ["'),'"] = true')
else
return warn("[!] No suspicious has not been located")
end
end
Locate()
When ran in your studio command bar you should see an output like this if your game has a script with a modified LinkedSource:
I hope that this helps anyone that was having the same issue as my friend and could not find the malicious code.