I have found Malicious code in my scripts... How?

althruist · March 1, 2021, 5:21pm

I actually may have found the problem thanks to @TheDarth_Dot so thanks for the research!

I used to have this plugin (I don’t anymore) so it is a really big piece of information. Therefore, I am reporting this plugin.

althruist · March 1, 2021, 5:24pm

I have already answered this.Yes, I checked their plugins and also checked their creators. Most of them where AlreadyPro’s Plugins and Moon Animatior, etc.

althruist · March 1, 2021, 5:26pm

Alright, so this may sound weird. But, I have made a system so basically, when i’m going offline, I will remove all of their permissions. Then I’ll re-add there permissions in-game. (Via Studio). That’s how over-protective I am.

PrismaticShadows · March 1, 2021, 8:35pm

That isn’t really overprotective, it’s actually quite a good idea.

RFL890 · March 2, 2021, 8:57pm

Only PluginSecurity can Source, so that’s not really possible.

DigitalCopies · March 2, 2021, 9:18pm

Well some scripts actually somehow duplicate after you put it in, seems like it gets put somewhere to be constantly duped. Though it’s not “injection”, a similar concept.

PR3VA1LED · March 16, 2021, 9:30am

RoSync is a backdoor virus that comes from a plugin. Example; If you are in team create with friends and when they create a script and RoSync appears outta nowhere, that would mean that one of your devs has a fake/suspicious plugin or a plugin that has a backdoor. If you want to get rid of it, you would have to tell your friends to uninstall each plugin, and make sure it’s made by the original owner and not made by a new account or by an alt.

You could either remove the virus or it’s hiding itself by deleting itself when RunService returns true from the function :IsStudio().

getfenv() returns a table of the functions and variables in the current environment. This can be used to easily attempt to hide a function.

In this case, it indexes string.reverse(“\101\114\105\117\113\101\114”). If you see what this ascii code corresponds to “eriuqer”, which when put through the reverse function gives you “require”.

When the script uses getfenv() and escapes ascii code to hide the require index in that table that is returned. It calls the require function with the asset id. Upon further inspection this is a quote on quote “require chain”, which basically hooks up module scripts in a chain to require each other in an attempt to hide the final script in the chain.

The script uses require to get a chain of module scripts, which will eventually lead to a server-sided backdoor.