Handler Exploit Script

Alrighty, so this first began about a week ago when a dude messaged me claiming there was a backdoor in my homestore. He screenshared, but I saw him run a code which added the handler script to my game. Therefore, I removed it and checked everything in game.
Another incident just like before occured a few minutes ago at my runway. They run a code which adds the handler script to my game and then exploit as usual. I didn’t have this problem before, but it’s becoming an issue for me.

I was wondering if there was a way I could make a script that blocks any local scripts named “Handler” from being created and/or added. It’s something I’d like to try, and if it is possible, perhaps some help would be great. :grin:

4 Likes

That’s really hacky.

Just use this: Kronos - Scan your game for viruses, backdoors - Plugin

Or use something like it, any back-door finder that is trusted will do :slight_smile:

do use any free models, if not and all your remotes are secure then you should be good

1 Like

I think the approach you’re taking to resolving the exploiting problem is what’s incorrect and leading you towards searching for a solution to removing exploiters from your place the wrong way.

If an exploiter is able to run arbitrary code within your game from a LocalScript, then your game has a vulnerability that was added in by an infected plugin or model. You need to go out and search for that script and remove it.

When it comes to anti-exploitation, you should always focus on securing the server-side first. You will need to remove scripts you did not add that look to be suspicious and add validation to any remote calls you do in the game.

There are several issues with backdoors from developers, a minimum of around two threads of it exist per week (only a slight overexaggeration). Please do make use of the search bar, you will find many threads discussing backdoors and how to combat them.

I have recently answered one. It’s a little different since this talks about using LocalScripts to combat other LocalScripts, but that’s the only way you could attempt blocking a Handler script.

In general, it would do you good to scroll through a few threads and see if they answer your problem before further inquiring about the matter. Take a look at all these threads.
https://devforum.roblox.com/search?q=backdoor%20category%3A55

Run this script in the command bar in Studio to get every script in your game and just delete the one you don’t recognize/has code you weren’t aware your game had.

If you’re unaware of the scripts you have and don’t know how to spot a malicious script, you should look for obfuscation or if a script is calling require, look up the first argument (module number) and if you don’t recognize the module then you should probably delete the script.

for i,v in pairs(game:GetDescendants()) do -- iterates through all game descedants
    pcall(function() -- use pcall because some scripts require  a higher context level to access 
        if v:IsA("LuaSourceContainer") then -- check if class is a lua source container
           print(v:GetFullName()) -- prints path of script 
        end
    end)
end

You could possibly also check if there’s a script that uses a certain string located in its source. You can put this script in the command bar, and execute it. It’ll print all the scripts that contains “loadstring” “require” or “getfenv” you can also get fancy, which most backdoors do by reversing the strings, so you could also add. This is just to check a script that contains those strings in there, you could also change it. So, not all printed items are actually backdoors, some of them are just your own scripts.
gnirtsdaol – Loadstring
vnefteg – Getfenv
eriuqer – Require

for _, descendant in pairs(game:GetDescendants()) do
    pcall(function()
    if descendant:IsA("Script") or descendant:IsA("LocalScript") then
-- if string.find(descendant.Source, "loadstring") or string.find(descendant.Source, "require") or string.find(descendant.Source, 'getfenv') then
-- if string.find(descendant.Source, "gnirtsdaol") or string.find(descendant.Source, "eriuqer") or string.find(descendant.Source, 'vnefteg') then
            print("A backdoor may have been found at "..descendant:GetFullName())
        end
     end
     end)
end

Kronos should be able to find it. If it doesn’t, it means you have a remote / model that lets exploiters add stuff in your game (models like a free catalog or smth)