My game is backdoored and I can't find the backdoor

ValuedSource · March 26, 2021, 8:31pm

If you can’t find the script in the explorer, its a plugin. I don’t know about this but I think all plugins that your developers have will affect the game. For instance if one of your devs has a bad plugin, the virus will be inserted. Easiest way to get rid of the virus is to check all your dev’s plugins for anything such as ‘require’ or ‘getfenv’. Also may I ask how you found out about the backdoor?

anon21385921 · March 26, 2021, 8:32pm

some plugins might be able to hide the backdoor and only insert it when u publish (then delete it right after)
not sure if they can do that though

naticsi_rb1x · March 26, 2021, 8:33pm

They started nuke my game with map changes and pop up guis and started banning people from the servers and spamming inappropriate words on the screen

anon21385921 · March 26, 2021, 8:36pm

you should link every single plugin you have active cause it could be made by a group and groups can pick any name including the same as the creator

flkfv · March 26, 2021, 8:42pm

This can be because of plugins and scripts with a suspicious code.

You can use CRTL + SHIFT + F if your on windows and COMMAND + SHIFT + F on mac to search through scripts.

This might also be because one of your developers has a dangerous plugin.

Reapimus · March 26, 2021, 8:44pm

If they are using a require() to insert the backdoor, then this plugin I made a while back with the intention of helping find backdoors might be of some use to you:

naticsi_rb1x · March 26, 2021, 8:52pm

It doesn’t show the module id only require( of the vehicles, gun system etc but no the backdoor (module)

Reapimus · March 26, 2021, 8:54pm

That’s unfortunate, do you know if you were using any free models and what they were if that was the case? It might also be from a plugin you have (even if it is by a “trusted developer” it still could contain something that is injecting the backdoor into your game’s code)

EDIT: You could also try using Ctrl + Shift + F and searching for usages of InsertService instead, they might be using it to insert the backdoor as an ordinary script instead when the game runs.

naticsi_rb1x · March 26, 2021, 8:56pm

Still, we trying to search the module id the backdoor nothing shows up which is really weird. The people who backdoored the game want nearly 50K robux for them to tell us how to find the backdoor in the game.

Isaque232 · March 26, 2021, 9:00pm

Hi, I recommend also checking out with Ctrl + Shift + F The following words:

loadstring
setfenv
getfenv

naticsi_rb1x · March 26, 2021, 9:07pm

We already checked these words and we cannot find the module id of the backdoor which is really weird and they used a “private method” to hide the backdoor and that’s it is very well hidden.

Ggblocks20 · March 26, 2021, 9:51pm

I use GameGuard Anti Virus V2.5 [ALPHA] - Roblox and it helps find scripts that are viruses/backdoors.

Send_Scripts · March 26, 2021, 9:51pm

Never tried any of these before but you could give some virus finder plugins a shot

They look kind of old tho not sure if they would work

Pokemoncraft5290 · March 26, 2021, 9:55pm

They’re lying just to scare you. It’s probably a plugin. Show a list of all the plugins that you and your team uses.

Coasterteam · March 26, 2021, 10:54pm

First of all, do NOT fall into their blackmail attempt, that only leads to further issues.

I have a few things

Does the game use an admin system, if so, what is it?
Some common keywords used in obfuscation;
= require .load(game setmetatable string.char table.concat getfenv setfenv

Server Scripts cannot hide in hidden services or obscure locations. They can only run in Workspace or in ServerScriptService, Roblox made this change not too long ago.

I am very interested in helping you get rid of this backdoor, as nobody should have to pay 50,000 to a few annoying exploiters.

VoidException · March 26, 2021, 11:00pm

Have all of your developers checked their plugins, just in case. Also, common things may be that a script may go on for a good while (scroll down to the bottom of that script, then there should be a vertical scrollbar, if that continues, go all the way to the end of it, there could be hidden code.

This is typically the cause with something called “RoSync”. They say that the script was last synced at a specific date, but then if you scroll all the way to the side, you get a loadstring containing malicious code.

ScriptingsMaster · March 29, 2021, 3:00pm

RoSync can easily be detected with CTRL + SHIFT + F and searching for “getfenv”, as RoSync uses “getfenv” with string.reverse.

alexfinger21 · March 29, 2021, 3:05pm

Could you share the place with me? USER: alexfinger21
discord: alexfinger21#2246

ScriptingsMaster · March 29, 2021, 3:07pm

Hi! Related to my other response that I deleted. More details and information, help.

I guess it is backdoor that loads a serverside. This kind of scripts appear from plugins, they are known as backdoors.

So here are couple things…

CTRL + Shift + F and search for these..

“loadstring”
“marketplaceservice”
“insertservice”
“insert”
“teleportservice (incase)”
“string.reverse”
“IsStudio”
“setfenv”

Also if you still can not find it, please use this from @Christbru01
Hidden Infection Script Detector

The plugins that spread the serversides are usually impersonating known creators with groups or similiar usernames. Check your plugins and their creators. Also check the plugins of everybody who can access the studio. The reason why you might not be finding it is that there is couple serversides that do not use "getfenv" or "require" to spread the serverside.

Please contact me in Discord through Tiitus#3617 if this does not help you at all.

Phazenine · March 30, 2021, 4:38pm

Who said they were telling the truth? Do you have any evidence that the ‘backdoor’ even exists?