Hello, first off I apologize if this is in the wrong section. I am a new here.
I have a new town and city roleplay game which my friends and I rolled out last week. The past two days we have been constantly targeted by some users using server side exploits. We have been unable to combat these as my friends and I aren’t scripters. I have tried some old school ways like having a team of moderators to watch over my game and setting up an age script to prevent alts from joining but these have failed to stop them.
Some of the issues we have had:
-People playing music and it raining minecraft blocks.
-Removing the map and inserting a WW2 Prisoner Camp that breaks TOS rules.
-Removing the map and inserting a grave for xxxtentacion.
-Garfield cats raining from the sky.
-Players are given illegal substances by the exploiter.
-Other content I really probably shouldn’t post on here because it breaks TOS.
This is reoccuring from the same couple people using various accounts. I don’t know if they are using Synapse or some other exploit. I am not very knowledgeable in that area.
I have been told that there are methods now where coders can help decrease the chances of people being able to effect your game. But I am really just a builder who edits free model code and I’m clueless and ripping my hair out.
This is my first new game since 2015 and a lot has changed on this website since then. If someone can help me somehow or recommend scripts/methods that would help combat this it would mean the world to us. I have looked all over youtube and the internet and haven’t had any luck.
What kind of exploits are you experiencing? Are they physical exploits, like teleporting/flying/walking through walls/infinite health/etc? Or are they actually manipulating the game’s features? It’s hard to help without more details.
As for suspicious devforum links, this is definitely the wrong category for that. You should probably edit that out.
Hello, I am sorry about that. I amended my original post.
I believe the issues we have been having lean more towards the manipulation of the games features. Some of the issues we have had:
-People playing music and it raining minecraft blocks.
-Removing the map and inserting a WW2 Prisoner Camp that breaks TOS rules.
-Removing the map and inserting a grave for xxxtentacion.
-Garfield cats raining from the sky.
-Players are given illegal substances by the exploiter.
-Other content I really probably shouldn’t post on here because it breaks TOS.
This is reoccuring from the same couple people using various accounts. I don’t know if they are using Synapse or some other exploit. I am not very knowledgeable in that area.
1 ) Have a backdoor in your game where exploiters are abusing through
2 ) Have a remote that allow inserts perhaps(?) that is heavily unprotected
For the backdoor, try doing CTRL + F in studio and look for Require or Insert. If you have a team or you commissioned scripters for your game, there’s always that small chance that someone could have abused and placed a backdoor in your game via one of the two methods above.
If you’d like, you can contact me via discord @ Zenuvius#2480, I have a lot of experience with anti exploits and given enough information, I should be able to guide you through the methods in patching all these exploits
Most likely the exploiters in question are taking advantage of code injected into your studio place that gives them access to code server-side. Luckily, there are a ton of plugins that can remove this type of stuff
You can also just check for blocks of code or scripts that shouldn’t be there like the usual “Fire Spread” and “Vaccine” viruses. Although it may take longer.
Forgive my ignorance and correct me if I’m wrong, but I checked that plugin just in case for OP and installation does nothing to games besides a fancy icon in the plugin list,
Having looked into it, below is the error in the script’s installation,
Again however, I highly suggest OP to manually check for backdoors using CTRL + SHIFT + F, don’t get me wrong, I’m not ruling out the possibility that exploiters have managed to broken through FE and manipulate the server directly however, I wouldn’t turn to that possibility before doing manual checks because from the sound of it, someone might have made a backdoor in your game or you have a very vulnerable remote system in your game
I’m certain that those errors that the plugin source is throwing are just for the Icon on the plugins menu for studio, and that there is actual functionality since it was off this thread and multiple users have vouched its credibility, but apologies for not providing any context.
But OP can just as easily find a multitude of plugins that have the same functionality instead of going off the first thing I found.
But here’s another [more well known] plugin that may help out and make this process easier:
This is made by a different person from the one that made the Loader and MainModule that I just posted above.
Could I possibly have something here or did it accidently pick up the game admin? I am going to try researching this admin some more and see if I can’t find out more about it.
I wrote a script which does some basic script parsing.
This will look for more than backdoors using require. I recommend reading my post for more information on what it does and how to use it.
Also I got a report that it may not have been working properly and I haven’t been able to locate any issues, so if you get stuck at 100% please let me know.
It definitely doesn’t detect everything and it’s more meant to narrow down the scripts you should be looking at. You should look at any scripts it reports back and make sure they are working as intended.
Unfortunately, a lot of models from the Library are insecure in one way or another. Exploits that arise from errors in these scripts can be as simple as not type-checking what gets received by a remote signal to something as hard-to-find as inserting a player-given asset ID.
If you don’t have time to learn Lua for yourself, I suggest you share your game’s place files with someone who already does know it so that they can take a look.
The last time I saw an emergency situation like yours, it was the result of some simple server script that accepts player signals. This script allowed players to change properties of nearly everything.
It is important to note that require and InsertService isn’t the only way to create a backdoor assuming one of your team member or perhaps someone you allowed team create access before had malicious intents, there’s a few other methods to do so, such as creating a malicious remote that allow assetids as the arguments, making silent chat commands and then hiding that chat from other players in the server via “/c system” etc
These are methods most of this open-sourced backdoor-removal plugins can’t simply detect, rather they are codes you have to investigate and find yourself via CTRL + SHIFT + F
Try CTRL+SHIFT+F and search for “getfenv”. Check for any suspicious results.
If you find any “empty” scripts in your game, beware: sometimes backdoor loaders are hidden far to the right of the script, on the first line.
Alright, I’ve assisted OP via discord and TC in regards to the backdoor in his game, searched, found and removed the model, I’ve also ran a check for the origin of the backdoors via MarketplaceService, and below is the full repro on how this SS backdoor is spreading around to unsuspecting developers that uses free models,
Personally by default I highly encourage against using free models unless you know how to manually check for obfuscated / basic backdoors, because this is how SS Backdoors like this are spreading around roblox games, often by our own ignorance.
Don’t take harshly of this experience however, mistakes happen, we live and we learn. After all, mistakes are only mistakes when you learn nothing from them!
So take valuable lessons from this where you can and move forward mates
local free_model = workspace["unsafe model name"]
local function better_safe_than_sorry(model)
for i,v in pairs(model:GetDescendants()) do
if v:IsA("LuaSourceContainer") or v:IsA("Fire") then
v:Destroy()
end
end
end
better_safe_than_sorry(free_model)
Edit to target a model too big to search manually, and paste the script in your Command Bar. It will search through all descendants of an unsafe model and delete any LuaSourceContainers (Scripts, LocalScripts, ModuleScripts) or Fire objects (more often than not, used to create unbearable amounts of lag).
Personally, I NEVER trust scripts not written by me or a trusted developer. It’s better to be safe than sorry, even if that means hiring a builder/scripter.
