My game is backdoored and I can't find the backdoor

Hello, I own a roleplay game and our game got backdoored. I’ve had my programmers look all over for it and they say they can’t find it even in locations such as the games asset viewer. The people who backdoored the game want nearly 50K robux for them to tell us how to find the backdoor in the game. They say they used a “private method” to hide the backdoor and that’s it is very well hidden.

Our game has around 5600 scripts but if we remove our cars it lowers to 1200 scripts. Can anyone help or does anyone have advice?

https://www.roblox.com/games/5686097688/El-Paso-Border-Patrol-Roleplay?refPageId=82999cc0-d935-4da6-961c-855faf153f0e#

Check plugins first. See if they are all from the official creator and maybe disable script injection on all of them.

Require and env are not in the scripts and all of my plugins are from the real creator.

Disable http request, see if it solves your problem, what does the backdoor even do?

There is one other method, which you can do nothing about called core gui exploits. Exploiters know devs can’t access the core gui so we can’t detect scripts in it because it’s locked.

I know that their whitelist is probaly http based but a bunch of our core scripts rely on http service and the backdoor let them do what they want to the game

Question: How does your game have 5600 scripts?

Alot of the cars are the scripts without them its only 1200

Do you know of any free models added?

This may help: I think you may have to contact roblox about it though, maybe try get the account banned and reported to roblox.

If you can’t find the script in the explorer, its a plugin. I don’t know about this but I think all plugins that your developers have will affect the game. For instance if one of your devs has a bad plugin, the virus will be inserted. Easiest way to get rid of the virus is to check all your dev’s plugins for anything such as ‘require’ or ‘getfenv’. Also may I ask how you found out about the backdoor?

some plugins might be able to hide the backdoor and only insert it when u publish (then delete it right after)
not sure if they can do that though

They started nuke my game with map changes and pop up guis and started banning people from the servers and spamming inappropriate words on the screen

you should link every single plugin you have active cause it could be made by a group and groups can pick any name including the same as the creator

This can be because of plugins and scripts with a suspicious code.

You can use CRTL + SHIFT + F if your on windows and COMMAND + SHIFT + F on mac to search through scripts.

This might also be because one of your developers has a dangerous plugin.

If they are using a require() to insert the backdoor, then this plugin I made a while back with the intention of helping find backdoors might be of some use to you:

It doesn’t show the module id only require( of the vehicles, gun system etc but no the backdoor (module)

That’s unfortunate, do you know if you were using any free models and what they were if that was the case? It might also be from a plugin you have (even if it is by a “trusted developer” it still could contain something that is injecting the backdoor into your game’s code)

EDIT: You could also try using Ctrl + Shift + F and searching for usages of InsertService instead, they might be using it to insert the backdoor as an ordinary script instead when the game runs.

Still, we trying to search the module id the backdoor nothing shows up which is really weird. The people who backdoored the game want nearly 50K robux for them to tell us how to find the backdoor in the game.

Hi, I recommend also checking out with Ctrl + Shift + F The following words:

• loadstring
• setfenv
• getfenv

We already checked these words and we cannot find the module id of the backdoor which is really weird and they used a “private method” to hide the backdoor and that’s it is very well hidden.