My game is backdoored and I can't find the backdoor

Ggblocks20 · March 26, 2021, 9:51pm

I use GameGuard Anti Virus V2.5 [ALPHA] - Roblox and it helps find scripts that are viruses/backdoors.

Send_Scripts · March 26, 2021, 9:51pm

Never tried any of these before but you could give some virus finder plugins a shot

They look kind of old tho not sure if they would work

Pokemoncraft5290 · March 26, 2021, 9:55pm

They’re lying just to scare you. It’s probably a plugin. Show a list of all the plugins that you and your team uses.

Coasterteam · March 26, 2021, 10:54pm

First of all, do NOT fall into their blackmail attempt, that only leads to further issues.

I have a few things

Does the game use an admin system, if so, what is it?
Some common keywords used in obfuscation;
= require .load(game setmetatable string.char table.concat getfenv setfenv

Server Scripts cannot hide in hidden services or obscure locations. They can only run in Workspace or in ServerScriptService, Roblox made this change not too long ago.

I am very interested in helping you get rid of this backdoor, as nobody should have to pay 50,000 to a few annoying exploiters.

VoidException · March 26, 2021, 11:00pm

Have all of your developers checked their plugins, just in case. Also, common things may be that a script may go on for a good while (scroll down to the bottom of that script, then there should be a vertical scrollbar, if that continues, go all the way to the end of it, there could be hidden code.

This is typically the cause with something called “RoSync”. They say that the script was last synced at a specific date, but then if you scroll all the way to the side, you get a loadstring containing malicious code.

ScriptingsMaster · March 29, 2021, 3:00pm

RoSync can easily be detected with CTRL + SHIFT + F and searching for “getfenv”, as RoSync uses “getfenv” with string.reverse.

alexfinger21 · March 29, 2021, 3:05pm

Could you share the place with me? USER: alexfinger21
discord: alexfinger21#2246

ScriptingsMaster · March 29, 2021, 3:07pm

Hi! Related to my other response that I deleted. More details and information, help.

I guess it is backdoor that loads a serverside. This kind of scripts appear from plugins, they are known as backdoors.

So here are couple things…

CTRL + Shift + F and search for these..

“loadstring”
“marketplaceservice”
“insertservice”
“insert”
“teleportservice (incase)”
“string.reverse”
“IsStudio”
“setfenv”

Also if you still can not find it, please use this from @Christbru01
Hidden Infection Script Detector

The plugins that spread the serversides are usually impersonating known creators with groups or similiar usernames. Check your plugins and their creators. Also check the plugins of everybody who can access the studio. The reason why you might not be finding it is that there is couple serversides that do not use "getfenv" or "require" to spread the serverside.

Please contact me in Discord through Tiitus#3617 if this does not help you at all.

Phazenine · March 30, 2021, 4:38pm

Who said they were telling the truth? Do you have any evidence that the ‘backdoor’ even exists?

Phazenine · March 30, 2021, 5:22pm

Isn’t there a getfenv that comes right before obfuscated text?
Either way, I’ve checked out the asset that the script requires. It doesn’t seem to be for sale, and if I remember correctly (may be wrong however) require only works when a module is set for sale.

I’m guessing the people who orchestrated this are planning to activate it if you don’t pay up.

Anyways, you should probably delete that script.

Another note:
I’ve heard that some people like to obfuscate their code to prevent theft, especially with long scripts like these, and based on its contents this may be the case.

Chocolauf · March 30, 2021, 5:55pm

Are you supposed to start with 5 quadrillion?

deluc_t · March 31, 2021, 12:32am

I’m guessing that since this is being posted on the devforum, they are taking it offsale so people smart enough wouldn’t try to “crack” the source to the backdoor.

Babybunnyiscute19 · April 5, 2021, 8:30pm

If you have a back up and or save, overwrite the save to the main game, or if you don’t, set the game to an older version or use an auto recovery save. It might not get rid of the back door fully, but it should remove all the damage until the person who back doored you strikes again. In that window of time delete all plugins, use ctrl + shift + f to find all require function or what ever they are called and delete/edit the scripts that have it.

17frames · April 5, 2021, 10:15pm

Add me on discord Frames#0130 Ill help you. Cheers.

km7dev · April 5, 2021, 10:22pm

Use an antivirus plugin. Here is a good one:

km7dev · April 5, 2021, 10:27pm

dont trust it. they’ll just take it and NOT tell how.

VoidException · April 5, 2021, 10:34pm

Yep I am aware.

Just for everyone else who is still on this topic, myself and the head developer spent a few hours looking through the game. One of the owners friends eventually found it buried deep in one of the scripts.

Hopefully that solved the issue, the backdoor (seems) to be gone.

boeljoet · April 6, 2021, 1:47am

can you share how and where you found it?

km7dev · April 6, 2021, 1:40pm

If that wasn’t all or wasn’t it, just post it back on here.

naticsi_rb1x · April 6, 2021, 7:25pm

its a remote
that allows ss scripts
you can manipulate the args by hooking it
to execute whatever you want on the server