How to prevent this exploit?

This would work but not get rid of the underlying problem. It’s always best to find and eliminate the source.

2 Likes

I agree, but until he can figure out the backdoor, it would serve as a temporary fix.

1 Like

Does this game have Team Create enabled? It could have been somebody else who has inserted a free model or has a malicious plugin installed.

Wasn’t Experimental Mode removed a while back? Even if FilteringEnabled is set to false, the game should be FE.

5 Likes

Team Create is enabled, but the only accounts added are my other accounts for when i want to edit “incognito”

I would recommend using Kronos to find backdoors. Also make sure that any of your team create accounts weren’t compromised.

1 Like

I do not know what game it is but…
Try using search in scripts at required
maybe that works. I know where backdoors are placed on most popular ones
But I don’t know how to remove some

Hmm, I still get this kind of behavior :confused:

Edit:
Will post a bug report if I find out it’s caused by studio and not team create members.

1 Like

Weird. According to this experimental mode was discontinued. Maybe Im reading it wrong :neutral_face:.

2 Likes

No backdoors were found in the game according to the plugin.

and i searched require throughout the entire game and none of them seemed out of place

1 Like

At this point, I see no reason to not try the above. To me, it seems it has to be the commands.

Edit: What you can even do is use the above script that @wevetments made and change it to detect if anyone spawns explosions (disregard the forcefield as it may spawn for a second when the character spawns/dies).

2 Likes

going to try this & revert to the old person299 admin script until i create my own

2 Likes

I recommend disabling all admin, even just for a few days, to see if the exploiter can still do his thing. You can still kick and kill people through the Developer Console if necessary.

Also, you don’t need to make your own admin, just make your own ban script. This way, if the admin commands catastrophically fail, your game is still safe as your code still doesn’t allow the banned players in.

10 Likes

I could help you out, could be a good chance to improve Kronos.
Add me on Roblox so we can talk.

Please, may you and @Liliardio let me know when you find the problem? I am interested to see if it is indeed the admin or a very hidden backdoor.

Thanks!

If you’re totally out of options, you can do something like connecting to all remotes, storing last 30 calls, and then when a forcefield is detected via DescendantAdded save the logs/upload them somewhere.

Weak solution but could work.

Treating the symptom is not a solution. If there’s a backdoor then other, possibly worse things are also possible.

OP should disable admin commands completely. Also share the script / asset link they’re using. Maybe they picked up an impersonator?

1 Like

If OP found out which remote is the cause, they could just check every script which uses that remote and figure out what could be the problem. So it isn’t “treating the symptom”, but rather using it to get to the core.

As for the admin script, OP mentioned they’ve been using the same one for over 2 years so I doubt it could be related, unless the admin creator’s account got compromised.

Because of the way player movement works (with the player having network ownership of the character and everything), doesn’t adding a forcefield to the player get around filtering enabled? So, in other words, this exploiter is just adding children to his own character to do this?

The reason the client can’t read or write server code is because the bytecode is never sent to the client, only bytecode from localscripts are. I don’t know how you prevent client modifications from the server because the majority of the changes on the client don’t replicate to the server…