How to break the “Project Ligma” backdoor

I am personally not a big fan of harkinian so I’m just gonna make this patch public and see what happens

Project Ligma is a server-sided backdoor created by Harkinian and Unverified. It gives a group of around 14 people access to run scripts on your game via the server, basically rendering filteringEnabled as useless

If you want to see if your game is backdoored by it, make a script and connect to the UnMutePlayerRequest remote and log it to a server, if you see any unusual data being send like “require(number).load(‘username’)” then your game is backdoored by Project Ligma

How to remove it:
Use the server-defender plugin by @Madpoint83

How to render it unusable (in case you can’t remove it):
Sometimes Project Ligma uses vulnurabilities in free models such as Adonis, if you want to stop their remoteevent from being able to execute anything this is how:

Make a script that keeps deleting the UnMutePlayerRequest remote, it’s pretty much useless anyways, if you want to replace it just look for ChatServiceRunner and change the name of the remote to something else and then on the client ChatService just change the name there aswell and you should be good

Hope this helps to anyone who has to deal with Erased_Citizen joining your game and breaking everything.

Remember kids, snipping is very salty and you should always apologize for it.

Edit: Just found out they have a backup remote, make sure to log your remotes for a function like “require”

14 Likes

Is this backdoor only installed through scripts on free models, or can any game be compromised?

2 Likes

The latter isn’t possible, if you have this backdoor, it’s because you used unsafe external code. Always read what you insert, you don’t have to be an expert, just really look for and scrutinize things that perform unsafe operations, such as calls to require or anything sus that may try to mask these calls, such as getfenv.

3 Likes

Actually, any game with vulnerabilities can be compromised, as I said in my post, they use vulnerabilities in free models such as Adonis even if the model doesn’t have “require” or “getfenv” there may be more ways they could insert the model such as models that give you a hat and the hat giver RemoteEvent doesn’t actually check what it’s giving you first.

A lot of games have been compromised this way such as @Tyrannizer’s “Roblox Talent Show”. One of my friends used a vulnerability that I found in that game on Adonis where you can insert models using the :face me command (this is patched now).

Any game with a vulnerability in a RemoteEvent can be compromised, I would recommend logging all your events to a server to check for suspicious activity and then patch the bugs if you notice any.

Any game that has a source code leak can also be vulnerable to this backdoor because then the source code of the RemoteEvents are public and depending on how secure they are you may or may not get bots with exploits joining your game to backdoor it with a tool like Synapse or Script-Ware.

Edit: fixed punctuation

1 Like

Refer this reply: How to break the “Project Ligma” backdoor - #4 by Smellypooper3

I make all my own assets, write my own code, and constantly limit what the client is able to do. I have not considered a server side attack, so I’m here to learn!

“Project Ligma” is something I never thought someone would name a backdoor…

8 Likes

Tbh it almost feels like satire

4 Likes

Any game with a vulnerability in a RemoteEvent can be compromised, I would recommend logging all your events to a server to check for suspicious activity and then patch the bugs if you notice any.

In practice, this can be cumbersome. Especially if exploits are involved, or subpar remote design where in both cases remotes are spammed, this can really bloat your logs to the point your database will throttle you, or you won’t end up seeing anything useful. Rather than try to look through a haystack after the fact, always sanitize input.

Any game that has a source code leak can also be vulnerable to this backdoor because then the source code of the RemoteEvents are public and depending on how secure they are you may or may not get bots with exploits joining your game to backdoor it with a tool like Synapse or Script-Ware.

Even unsecured Remote events aren’t inherently vulnerable like your latter statement implies, it all depends entirely on how you use them. You will never backdoor your game this way unless you perform unsafe operations that will attempt to vary execution based on remote input, such as a executing a module with a user given string or using loadstring, getfenv, etc.

However, use of free models are a bit of a different story, the whole adonis thing is interesting, because as a top resource you wouldn’t think to scrutinize it, but I guess sometimes you can’t be too sure.

However, good thing that there are more streamlined resources that have a dedicated open source which are maintained constantly and scrutinized for safety / performance concerns, like right here on the devforum for example.

Rather than the Wild West that is toolbox scripts… Again, always watch what you insert.

1 Like

It’s not satire actually there are videos of people using it like this one which actually show the watermark in the corner.

Edit: Fixed link

A better way to stop this plugin is by searching for “require” and “getfenv” using Ctrl + Shift + F then removing all the scripts that have require* and getfenv that you don’t trust.

* require is used to get code from outside your game or from a module script inside your game. If the require looks something like: require(ServerScriptService.ControlModule) it’s fine, but if it looks like require(lIlililiIil), require(a), or require(57239427) it’s probably bad unless it’s from a creator you completely trust.

Backdoors, including Project Ligma, are just code in a script that you have in your game. They aren’t anything more or less. All you need to do is remove the code.

That simply isn’t true, again alot of these private backdoors use vulnerabilities in the game that the developer sometimes wont even realize is there. Sometimes even if a game doesn’t use toolbox or plugins at all they will still be vulnerable to backdoors due to unsanitized inputs and accidental usage of “InsertService” without checking the model being inserted. I’m almost %100 sure that Project Ligma doesn’t use require or getfenv because if they did then they wouldn’t still have huge games like Little Angels Daycare, Emerald Theater, or Roblox Talent Show infected. It’s very clear that you didn’t read most of the post and just pasted a response for internet helpful points or chinese social credit farming. Please read the entire post before you reply.

Sanitization of RemoteEvents is okay but the thing is is that most of the time the inputs aren’t going to be spammed because alot of backdoor/serverside owners tell their members not to spam the execution remotes because they also log what the backdoor user is executing. The reason they log this is because they are normally not allowed to use scripts that are too noticable to the point where a developer of the game is going to notice and do things to disable and/or remove the backdoor.

Instead of filtering them for spam, why not just implement a rate limit on the remote events or the RemoteEvent logger (something which should already be done in the first place) so that you can still see if there is any malicious activity and it wont tons of unwanted data going to the server and it will only be little amounts.

I’m not from China. The InsertService has security checks. It’s from a required module, HTTPs requests, or loadstring (the last two have built in security).

It’s impossible to to use the InsertService for backdoors, because it only loads the game creator’s models.

Source

Security Check

An asset loaded by this function must be created or owned by either the game creator or Roblox. Additionally, benign asset types such as t-shirts, shirts, pants and avatar accessories are loadable from any game as they are public.

InsertService:LoadAsset


Source? I believe this can’t happen anymore.

What are you going to do with thousands of data points? You might as well just detect exploiting then save incoming data to a normal datastore. That way you can use the data you’re collecting.

Or, even better, just design your client-server communication properly in the first place.

Please try to keep information on the developer forum accurate and be kind to other forum users :+1:

2 Likes

Wow, never thought I’d see this from you deniied. How’d you find out how this worked, anyway?

One of my friends found a crap ton of info about Project Ligma and we have people. We had the remote event and the remote event key and then hark changed it because he noticed we had it lol. They still use the same RemoteFunction they just added some extra step to the whitelist and changed the key.

Edit: also who are you and why do you know that I’m associated with Daniel

Seems like you created it,
never heard of this and your bio is quite suspicious.

Just out of curiosity, what’s preventing someone from just removing the model? Is there some way it “attaches” to the game so even if the model’s removed, it still exists?

From what I’ve been able to gather from this, I don’t think there’s any problems hindering just removing the infected models. I think the main reason people don’t think to remove them is because the program exploits vulnerabilities in useful models you might already have in your game such as Admin Command packages.

You’d obviously know to remove infected models when you find them, but you’ve then got the problem of having no Admin Commands in your game.

What I want to know is how they’re able to do this. This seems like a huge security risk If they can just break into any game.

1 Like

No I did not create it, my backdoor is called “Nonamer”. I just have happened to strongly dislike “Project Ligma”.