HELP Exploiters targeting my new game

What kind of exploits are you experiencing? Are they physical exploits, like teleporting/flying/walking through walls/infinite health/etc? Or are they actually manipulating the game’s features? It’s hard to help without more details.

As for suspicious devforum links, this is definitely the wrong category for that. You should probably edit that out.

5 Likes

Hello, I am sorry about that. I amended my original post.

I believe the issues we have been having lean more towards the manipulation of the games features. Some of the issues we have had:

-People playing music and it raining minecraft blocks.
-Removing the map and inserting a WW2 Prisoner Camp that breaks TOS rules.
-Removing the map and inserting a grave for xxxtentacion.
-Garfield cats raining from the sky.
-Players are given illegal substances by the exploiter.
-Other content I really probably shouldn’t post on here because it breaks TOS.

This is reoccuring from the same couple people using various accounts. I don’t know if they are using Synapse or some other exploit. I am not very knowledgeable in that area.

Sounds to me like you have either,

1 ) Have a backdoor in your game where exploiters are abusing through
2 ) Have a remote that allow inserts perhaps(?) that is heavily unprotected

For the backdoor, try doing CTRL + F in studio and look for Require or Insert. If you have a team or you commissioned scripters for your game, there’s always that small chance that someone could have abused and placed a backdoor in your game via one of the two methods above.

If you’d like, you can contact me via discord @ Zenuvius#2480, I have a lot of experience with anti exploits and given enough information, I should be able to guide you through the methods in patching all these exploits :+1:

7 Likes

Most likely the exploiters in question are taking advantage of code injected into your studio place that gives them access to code server-side. Luckily, there are a ton of plugins that can remove this type of stuff

You can also just check for blocks of code or scripts that shouldn’t be there like the usual “Fire Spread” and “Vaccine” viruses. Although it may take longer.

Here’s one I just found that may help: https://www.roblox.com/library/3550088966/Backdoor-Scanner

1 Like

Forgive my ignorance and correct me if I’m wrong, but I checked that plugin just in case for OP and installation does nothing to games besides a fancy icon in the plugin list,

Having looked into it, below is the error in the script’s installation,

image

Again however, I highly suggest OP to manually check for backdoors using CTRL + SHIFT + F, don’t get me wrong, I’m not ruling out the possibility that exploiters have managed to broken through FE and manipulate the server directly however, I wouldn’t turn to that possibility before doing manual checks because from the sound of it, someone might have made a backdoor in your game or you have a very vulnerable remote system in your game :+1:

2 Likes

I’m certain that those errors that the plugin source is throwing are just for the Icon on the plugins menu for studio, and that there is actual functionality since it was off this thread and multiple users have vouched its credibility, but apologies for not providing any context.

But OP can just as easily find a multitude of plugins that have the same functionality instead of going off the first thing I found.

But here’s another [more well known] plugin that may help out and make this process easier:

https://www.roblox.com/library/2670956620/Hidden-Infection-Script-Detector

1 Like

Sorry this was my mistake trying to fix roblox’s.
That happen because roblox broke plugins …

I have updated it, feel free to update the plugin and test again.

1 Like

Hello! I have tried out the plugin: https://www.roblox.com/library/3550088966/Backdoor-Scanner

I got a few things that came up. I will post them here. This is from my output.

10:49:51.077 - [BACKDOOR-LOADER] Commands: (Workspace.Adonis_Loader.Config.API): MainModule.Server.Core.Commands → (MODEL ID: 359948692)

10:49:51.843 - [BACKDOOR-EXECUTOR] Loadstring: (Workspace.Adonis_Loader.Config.API): MainModule.Server.Dependencies.Loadstring → (MODEL ID: 359948692)

10:49:51.956 - [BACKDOOR-LOADER] Functions: (Workspace.Adonis_Loader.Config.API): MainModule.Client.Core.Functions → (MODEL ID: 359948692)

10:49:52.478 - [BACKDOOR-LOADER] Commands: (Workspace.Adonis_Loader.Config.API): MainModule.Server.Core.Commands → (MODEL ID: 359948692)

10:49:53.163 - [BACKDOOR-EXECUTOR] Loadstring: (Workspace.Adonis_Loader.Config.API): MainModule.Server.Dependencies.Loadstring → (MODEL ID: 359948692)

10:49:53.248 - [BACKDOOR-LOADER] Functions: (Workspace.Adonis_Loader.Config.API): MainModule.Client.Core.Functions → (MODEL ID: 359948692)

–Here is the link to the admin.
https://www.roblox.com/library/2373505175/Adonis-Loader-BETA

I pasted in the ID found in the output above “359948692” and I got this:
https://www.roblox.com/library/359948692/Adonis-MainModule

This is made by a different person from the one that made the Loader and MainModule that I just posted above.

Could I possibly have something here or did it accidently pick up the game admin? I am going to try researching this admin some more and see if I can’t find out more about it.

Thanks!

Both of these people are associated with each other. Davey_Bones is ranked in a group owned by Sceleratis. You’ll notice that https://www.roblox.com/library/359948692/Adonis-MainModule links to here: https://www.roblox.com/library/360052698/Adonis-Loader-BETA-WIP

He then links back to Davey_Bones’ module.
https://www.roblox.com/library/2373505175/Adonis-Loader-BETA

I doubt that these have anything malicious.

I wrote a script which does some basic script parsing.
This will look for more than backdoors using require. I recommend reading my post for more information on what it does and how to use it.

Also I got a report that it may not have been working properly and I haven’t been able to locate any issues, so if you get stuck at 100% please let me know.

It definitely doesn’t detect everything and it’s more meant to narrow down the scripts you should be looking at. You should look at any scripts it reports back and make sure they are working as intended.

Unfortunately, a lot of models from the Library are insecure in one way or another. Exploits that arise from errors in these scripts can be as simple as not type-checking what gets received by a remote signal to something as hard-to-find as inserting a player-given asset ID.

If you don’t have time to learn Lua for yourself, I suggest you share your game’s place files with someone who already does know it so that they can take a look.

The last time I saw an emergency situation like yours, it was the result of some simple server script that accepts player signals. This script allowed players to change properties of nearly everything.

It’s something about your Remotes.

Adonis is safe however Kronos detects it as a backdoor because it uses the LBI (most of backdoors use that too) .

Sent you a friend request on discord. My name is ColonelJames#4129.

1 Like

It is important to note that require and InsertService isn’t the only way to create a backdoor assuming one of your team member or perhaps someone you allowed team create access before had malicious intents, there’s a few other methods to do so, such as creating a malicious remote that allow assetids as the arguments, making silent chat commands and then hiding that chat from other players in the server via “/c system” etc

These are methods most of this open-sourced backdoor-removal plugins can’t simply detect, rather they are codes you have to investigate and find yourself via CTRL + SHIFT + F :+1:

They had access to your game with a backdoor called “Dolphin bruh-side”

Try CTRL+SHIFT+F and search for “getfenv”. Check for any suspicious results.
If you find any “empty” scripts in your game, beware: sometimes backdoor loaders are hidden far to the right of the script, on the first line.

2 Likes

Alright, I’ve assisted OP via discord and TC in regards to the backdoor in his game, searched, found and removed the model, I’ve also ran a check for the origin of the backdoors via MarketplaceService, and below is the full repro on how this SS backdoor is spreading around to unsuspecting developers that uses free models,

Free Model with Backdoor inside

image

image

image

image

Profile of Backdoor Owner

Below is his inventory, I’d checked through 4 different models here and all 4 of them have the backdoor required in a script hidden in the model :+1:

CarStereo200’s Inventory

Personally by default I highly encourage against using free models unless you know how to manually check for obfuscated / basic backdoors, because this is how SS Backdoors like this are spreading around roblox games, often by our own ignorance.

Don’t take harshly of this experience however, mistakes happen, we live and we learn. After all, mistakes are only mistakes when you learn nothing from them!

So take valuable lessons from this where you can and move forward mates :+1:

8 Likes

If you still wanna use FMs, never fear!

local free_model = workspace["unsafe model name"]

local function better_safe_than_sorry(model)
    for i,v in pairs(model:GetDescendants()) do
        if v:IsA("LuaSourceContainer") or v:IsA("Fire") then
            v:Destroy()
        end
    end
end

better_safe_than_sorry(free_model)

Edit to target a model too big to search manually, and paste the script in your Command Bar. It will search through all descendants of an unsafe model and delete any LuaSourceContainers (Scripts, LocalScripts, ModuleScripts) or Fire objects (more often than not, used to create unbearable amounts of lag).


Personally, I NEVER trust scripts not written by me or a trusted developer. It’s better to be safe than sorry, even if that means hiring a builder/scripter.

1 Like

There’s not really a point removing fire if you have removed all scripts

Can you supply us with a link to your game?

I as well send you a friend-request on Discord. I’d really appreciate your assistance!

2 Likes