It is either your plugins, a free model or your own scripts. Look at both server and client scripts. Also look at you own scripts. There is no way anyone can do it without a backdoor. There is an option in studio called “ShowHiddenObjectsInExplorer”, that reveals every hidden thing. You could take advantage of the developer console, in a server script, print all BaseScripts’ name (you would have to wrap them in pcall or else it will error on stuff like CoreScripts). Find one that isn’t supposed to be there.
Alright, I have done that and all of the scripts have been verified and are not malicious.
1 Like
I can confirm it is your admin that has a backdoor! You should use something like HD Admin which is completely open source.
3 Likes
Basic Admin Essentials 2.0 is completely open source too. Can someone link me the source to where they are finding that Basic Admin Essentials 2.0 has a backdoor?
I highly trust TheFurryFish and his admin. Many big groups use BA Essentials and it’s the most efficient admin for a company group.
Are you sure you checked it thoroughly enough? This kind of exploitation rarely happens to such a degree on games where some sort of vulnerability isn’t found. I think this is less of a glaring answer where you can pin-point where an exploiter can access your code, and more of an in general design flaw. Make sure nothing serious or critical is stored on the client-side to start, and if it HAS to be, use RemoteFunctions. (Either way, now with filtering enabled RemoteFunctions are basically required for most client-server interactions)
Big groups can include Bloxton Hotels, Frappe, SizzleBurger, etc.
Yes, I have checked thoroughly twice and there are no flaws.
Alright, well just be sure to see if the client-side code has any sort of places where messing with the code could screw around with the server.
The only client-side code that communicates with the server is the recycling bins and the animations for the items and those only fire the server with no arguments on both ends.
I’ll point out the same thing I did to someone else; how can you confirm this? Can you show us proof?
Do any of your remotes allow to kick a player? Are you sure you checked the plugins?
If you haven’t inspected your plugins already you can with this in the command bar:
local id = 123456789 -- plugin ID
game:GetObjects("rbxassetid://" .. id)[1].Parent = workspace
Also since it’s open source why don’t you check the code?
None of the remotes kick players. I am sure I checked all of my plugins, here is all of my plugins if you would like to review them yourself.
It’s not always plugins, it can also be models. If you have any models that are not made by you (free models or models that cost Robux), check those.
It’s not the plugins, it’s the models.
Enable your inventory and run Kronos in new place with HttpEnabled and it should scan your models
If problem not fixed, contact me.
Subpo#6387
1 Like
Okay, I have done that and it warns [MODEL] [BACKDOOR-LOADER] Kohl's Admin Commands V2: (NIL): NIL --> (MODEL ID: 100808216) in the output. I am confused because I do not own this model (https://www.roblox.com/library/100808216/Kohls-Admin-Commands-V2).
AFAIK that’s Khols Admin, the predecessor to Khols Admin Infinite. It has large security flaws and you should remove it.
I don’t even have the model. I ran Kronos in a new baseplate and that came up in the output.
Try this line of code on a ServerScript, a LocalScript and in the CommandBar before play testing (Although RemoteEvent connections get disconnected when a script gets destroyed, all properties and callbacks set will remain, so they can also use a RemoteFunction)
for i, v in ipairs(game:GetDescendants()) do
pcall(function()
if v:IsA("BaseScript") then
print(v.Name)
end
end)
end
Find a script that doesn’t belong (be sure it is not a roblox script added by CoreScripts)
Alright, I have done that and there are none unwanted scripts.