If you don’t mind disclosing your game’s place file, there’s a good chance some curious developer could find the problem within your game.
An example of that happening before:
It’s also possible someone with game development privileges is betraying you, running stuff in the server’s command bar to allow these exploiters to annoy you in-game, bypassing any sanity checks you have in place.
But this one follows the same requirements as Scripts and LocalScripts and is completely different from the command bar in studio (it will still error on the API under LocalUserSecurity or PluginSecurity), also, this would only apply for that server and not every server.
All very valid points, however there is one last point that cannot be replicated with a premade. I worked on an admin a while back and if I found a problem with it I could easily identify where it was coming from and resolve it promptly. With premades, any issue you encounter (such as people exploiting a security flaw or certain ways of giving parameters for commands not being accepted) can almost always only be solved by asking the creator to do it for you, which has issues beyond my attention span. If you take on the task of fixing this yourself by manually editing the scripts this could have even worse consequences (since you dont fully understand the interactions within scripts.). The fact that you are having to familiarize yourself with large parts of a script simply to fix a problem can sometimes burn more time than just making your own system from scratch.
For my issue, One of my developers had a backdoored plugin that inserted some script, (into some UI). I ended up rescripting the whole game with my trusted dev and I never had any issues since.
I might be able to help you figure this one out, as I used to script backdoors way back when.
Chances are, you still have a backdoor in your game. Some are really blatant, like the free anti-exploits that you have to tick ServerScriptService.loadstringEnabled, but some are more sneaky.
Have you used any plugins that looked shady, or inserted any shady models?
If you need my help locating where they placed the backdoor (plugins have a higher thread level, so they can insert models into sneakier places like CoreGui and JointsService), dm me on discord: Tactical#2892
Make your own custom admin commands. Even reputable sources like HD Admin had bugs that gave exploiters full access. I recommend being in the game when this happens to look for any possible source of a backdoor so you can fix it.
Those types of exploits are generally caused by relying too much on the client, remotes should never get important information from the client. You should write your code with the assumption it will be tampered with. It is important to take into consideration that exploiters can essentially control the client, view client scripts and view the arguments from remotes so any security check must be performed on the server otherwise it can be bypassed.
I can confirm that even trusted FMs are pretty insecure.
A while ago, I figured out a vuln in BAE which basically let me insert any hat I wanted.
It was a pretty nasty one, which let me create brick spams, and even insert a few gears. I don’t think it was leaked (mostly since the exploit required to exploit the vuln had to have a function called “getupvalues”), but that’s besides the point.
Basically, don’t rely on FMs. Make your own stuff, as even trusted FMs aren’t usually secure.
Alright, thank you everyone. It turned out that it wasn’t a backdoor, but an exploiter joining on alts. They got banned and reported to Roblox Moderation.
Dude, what you show in the screenshots is literally impossible to do without having some kind of access on the server. If this was an exploiter joining to do this to you, they could do it because you have a backdoor.
As others such as Autterfly have mentioned, this is common ill-judged advice which is frequently passed around.
Creating admin systems from scratch understandably require a great deal of complexity to develop. It’s during this process where bugs, mistakes and vulnerabilities will almost certainly pop up. With up-to-date, reputable admin systems you can be confident these issues are weaved out, whereas if numerous users start from the ground up, you can guarantee similar problems will arise for exploiters to target again and again.
Not only do you save yourself a great deal of time by using or building-upon existing systems, you gain the advantage of frequent updates, bug fixes and support. More often or not, the top admins will have a repository where you can file issues and request changes.
For developers looking to create their own admin systems, consider expanding upon already existing, reliable frameworks such as Cmdr.