A game of mine has been exploited/hacked so much this past week. It seems like it’s the same exploiters trying to ruin other’s gameplay but just using different accounts.
My game is currently using Adonis for admin, but the exploiters seemed to use their own admin. The admin they used has everything you need to destroy a server. It sends messages, changes leaderboard stats, uses tools, kills players in many types of “fun” ways, gets a player to say a message they didn’t type, pretty much everything a free admin model would give, but they’re definitely not using Adonis.
The exploiters also seemed to bypass everything in the game. They’ve bypassed the chat filters and many anti-exploit scripts.
Here is an anti-exploit script I made. It doesn’t cover everything but it was the best I could do:
local Players = game:GetService("Players")
local LocalPlayer = Players.LocalPlayer
repeat wait() until LocalPlayer.Character
repeat wait() until LocalPlayer:FindFirstChild("Backpack")
local Character = LocalPlayer.Character
local HumanoidRootPart = Character:WaitForChild("HumanoidRootPart")
local Backpack = LocalPlayer:WaitForChild("Backpack")
local Anti = script.Parent:WaitForChild("AntiSecure")
---Checking player's rank to see if they are exploiting or just using admin.
while true do
wait()
if LocalPlayer:GetRankInGroup(5101119) < 7 then
break
end
end
local Bodys = {
["BodyGyro"] = true,
["BodyVelocity"] = true,
["BodyPosition"] = true
}
local PreviousPosition
function Kick()
LocalPlayer:Kick("Exploiting Detected")
end
function CheckTeleport()
if HumanoidRootPart == nil then return Kick() end
local PositionFirst = HumanoidRootPart.Position
delay(1, function()
local PositionSecond = HumanoidRootPart.Position
if (PositionSecond - PositionFirst).magnitude >= 140 then return Kick() end
end)
end
-- Anti Btools
Backpack.ChildAdded:Connect(function(Obj)
if Obj:IsA("HopperBin") then return Kick() end
end)
local HumanoidRootPart = Character:WaitForChild("HumanoidRootPart")
-- Anti Fly
HumanoidRootPart.ChildAdded:Connect(function(Obj)
if Bodys[Obj.ClassName] then return Kick() end
end)
-- Anti Humanoid Destroyer
HumanoidRootPart.ChildAdded:Connect(function(Obj)
if Obj:IsA("Humanoid") then return Kick() end
end)
while wait() do
if Anti.Disabled == true then
Anti.Disabled = false
elseif script.Parent:FindFirstChild("AntiSecure") == nil then return Kick() end
end
When playing with the exploiter, there is hardly any proof showing who exploited. I even used Adonis to see if anyone is exploiting which usually works but nothing appeared.
I’ve tried researching anything that relates to this issue and how to solve it, but I couldn’t find any. If you have anything that could help, it was would be greatly appreciated if you respond down below with an answer. Thank you!
I don’t think we can say much about the root cause of your problem without more information.
Have you vetted every single free model in your game? Made sure there aren’t any malicious scripts?
By the way, anti-exploit measures in a LocalScript are inherently limited. If it runs on their machine, an exploiter can find a way to halt it. You can only add hurdles to the exploiter when it comes to anything running on their machine, but you can’t prevent client-side manipulation.
Also, I believe there are ways to bypass the chat filter without any scripting involved. At least there were when I saw a friend of mine do it a year ago — not sure if Roblox has patched it already.
Have you vetted every single free model in your game? Made sure there aren’t any malicious scripts?
The only free model in the game is Adonis.
By the way, anti-exploit measures in a LocalScript are inherently limited. If it runs on their machine, an exploiter can find a way to halt it. You can only add hurdles to the exploiter when it comes to anything running on their machine, but you can’t prevent client-side manipulation.
But it’s made so if they disable a script, it enables itself, and if they delete it, they are kicked from the game.
Again, things like this will make it more difficult, but ultimately it’s their machine, and they have total control. For example, they can delete the script that performs the check, then delete the other script. Even if you perform the check on the server, the client can delete the script from their game, but tell the server it’s still there. Exploiters will always have the upper hand on the client. That’s why anti-exploit LocalScripts are primitive measures at best.
Never trust the client
Just make your anti-exploit scripts server-sided like @Wizard101fire90 and @suremark said.
The thing is that you placed your anti-exploit script in the client, I can tell because of Players.LocalPlayer, because it’s placed in client, it won’t really do anything and are just as powerful as an anti-expolit written in Javascript on the web at the end. While checking anti-expolits does make it more difficult (I admit I also add some anti-exploit script on the client-side too), it’s ran on their machine so they can control this.
and if Anti.Disabled == true then is redundant, you can acheieve the same thing with if (Anti.Disabled) then
Not a very good thing to spread without any actual proof. This is not true.
@ OP it’s likely have either a vulnerable remote lacking checks or you inserted a free model that has a backdoor. One of you or your team members may also have a plugin that inserts it. Additionally, make sure your Adonis model is from the real creator, and not a malicious copy.
You definitely have a backdoor in your game. Make sure you and your team aren’t using free models, and the plugins that they are using are official plugins. Also, search all scripts in your game for require, getfenv and setfenv and delete the script if you or your team didn’t make it.
Make sure you write your anti-exploits in SCRIPTS, not LOCALSCRIPTS. Localscripts are executed on the client, and the exploiter has full control over that. All it takes is them deleting the script, and even if you have a check for that, they can just bypass the :Kick() or change the code in the script to nothing.
Probably a backdoor. Go into a script and press CTRL + SHIFT + F. I believe that is the command to search every script for a keyword. You can search getfenv and require which are often used
The admin you are using has been exploited. The players probably saw this and took advantage. You should probley create a UI that comes on for admins only. There you can use commands. It’s would be a lot easier for you. Also it makes it were there is no exploiters.
Almost 100% this is a backdoor. Check all of the plugins you have and make sure they are credible. You can also press CTRL + SHIFT + F in studio and search for getfenv and usually that will show you any scripts with backdoors. Some backdoors are different though so you can try searching for require and deleting anything suspicious.
Hi, I am using HD Admin, and also have someone coming in an getting Admin or sorta admin like things, doing flying, mimicking what I say in chat , being able to go through walls, sending chats msg to people. I have searched all scripts for getfenv and there are none, I do see some require commands.
Can you expand on what to look for relating to to require , and what not to have ?
For example , in my obby i have
local RaceManager = require(ModuleScripts:FindFirstChild(“RaceManager”))
For getting coins I have
local coinModule = require(game.ServerScriptService.CoinModule)
For pets I have
local petModule = require(game.ServerScriptService:WaitForChild(“PetModule”))
What things should I be looking for ?
Thanks
local coinModule = require(game.ServerScriptService.CoinModule)
They’re using an load string and an executor to load the scripts.
I don’t doubt you know what one looks like as you’re a scripter but they get their scripts from github, or manually create / load through the executor.
Most likely the admin script they’re using is Rev. I’m not putting the full name to prevent the promotion of this admin exploit. DM me and i’ll send you the link to it so you can find a patch.
