How to break the “Project Ligma” backdoor

It normally doesn’t come as a model, it normally uses an account that will join your game and fire a RemoteEvent that has a vulnerability in it and somehow get the server to run a require.

Right, but how does it “manifest”, or what’s an example of what a vulnerable remote might look like/a code sample of what the vulnerability might look like?

I can’t really provide a code example because I’m on mobile right now but there is a lot of attack vectors that backdoors like this use. The most common is normally from InsertService without checking what the model actually is and combining that with a way to change properties via the server.

Example: some developer will have Person299’s admin V2 in their inventory and the attacker will insert it with a insertservice vulnerability, then the “code” StringValue and the LBI script’s disabled property will be changed with some sort of property changing vulnerability and boom serversided code execution.

Edit: I used the wrong “there,their,they’re”

1 Like

Just found out they have a alternative remote that they use.


I think you are misunderstanding how insert service works. Insert service only allows inserting trusted assets.

That doesnt have LBI, it uses vanilla loadstring, which in all usecases is disabled.

Unless you have vanilla loadstring enabled, but in that case its your fault.

That is simply a theory. Do you have any actual evidence about this?

There are frontpage games with getvenf/require viruses.

This itself would be a full backdoor. So I dont think you need an LBI.

InsertService allows you to insert anything made by the creator or in the creator’s inventory.

Edit: I meant the game creator

Yes. But it would only work if the creator had backdoors in their inventory.

Or a model with a even more stupid vulnerability like an old version of “Pompous The Cloud” there are also models that are made by Roblox with vulns in them that I found but I’ll keep those to myself.

1 Like

But that still wouldn’t allow LBI access, meaning remote blocking would be unnecessary.

To the Roblox Talent Show thing: I was personally involved with trying to track down the backdoor there. It was present in new servers, even without Adonis being installed anymore (it was removed for a while.) Something inserted via :face would only last up until the server dies, and even if it messed with the datastore in that time there’s no way for it to gain persistence unless something else was loading something from the datastore that it added (which in this case, wasn’t happening/didn’t seem to be the case. It was narrowed down to some modules in ServerScriptService last I heard.) Should also be noted that the :face command still would only let you insert models owned by the place owner or Roblox, so it was still niche and required a compromised model to already be in one of the two’s inventories.

This is a long way of saying I’m pretty sure an actual model/module/library used in the game was compromised and was actually saved as part of the game, as opposed to something that was getting loaded later. Face command was an issue but was patched as soon as it was noticed and ultimately wasn’t the root cause of the issue they were having.

There’s a lot of ways that a LBI could be added to this, I’m pretty sure something like Kohl’s V2 has a LBI and does the same thing that Person299’s admin can do.

It doesn’t. It uses vanilla loadstring() which only works on games where it is enabled (meaning none)

It’s kinda funny that you say this after joining a VC with loaf and laughing about a old reply where i said Adonis has vulnerabilities in it.
Also I’ve found multiple ways that you could run Lua on all servers at once or saving code in the datastore causing a permanent backdoor, Adonis is getting old and no one should use it lol.

I have a friend who literally got a dev to send him the API keys and they were using it to rank to Moderator in the group, then they were using Adonis vulnerabilities with a bot that would join servers in order to backdoor the game.

I’m pretty sure that Adonis was the root cause of RGT getting backdoored multiple times by Voxel and Ligma.

hark is overrated anyways.

the best way to protect your game is to not use FMs and unsafe/unverified plugins. there are indeed many ways to insert a backdoor in a game but they all come down to passing and handling data. if your data handler is insecure, then insecure data will eventually be passed. this post is great though (specifically the adonis vuln part) because it showcases how even verified assets that are trusted can have their flaws as well.

Still don’t know “loaf” and haven’t been in a VC with them so I can only assume your intent is to bait/spread misinformation then.

Bot can’t join a personal server. Try again.

Also even if there was a vuln with the webpanel stuff, it can’t run unless the setting is specifically enabled (which is disabled by default and thus would only affect the very small subset of people using it, of which RTS is not one of) so, once again, try again.

Its annoying that I need to go out of my way to rebuke any misinformation you attempt to spread just to make it clear to anyone reading that it is in fact, misinformation. I guess in that sense it is indeed an effective bait as it forces me to reply, and is ultimately irritating, so good job on that end I guess.

To anyone reading this: independent research and analysis is an amazing thing, try it.
I will now return to my multi-month devforum hibernation, as per the usual.

You admit to breaking the roblox TOS?

Also a thing which I would consider is that he is suspecting that Adonis of being a backdoor, but
He himself has botted a lot of fake Adonis backdoor models: