Hello, I’m currently in a very frustrating situation. My game 🦖Dinosaur Legacy: Saurian Odyssey - Roblox is being targetted by an exploiter to a point where I had to private the game so people stop losing their data. The exploiter was joining the game and kicking everyone. He then proceeded to join the associated discord server, where he admitted to hacking while being extremly racist and rude to our members.
What’s really frustrating is the game doesn’t get many players, so this is clearly someone who is doing it out of spite.
Does anyone have any experience with something like this? If so, how have you dealt with it?
Get better server side remote event protection. He shouldn’t be able to do this, you must have an unprotected admin script remote or something like that; unless your game is back door’ed but that’s a whole different story
This has to be something with an admin panel you or someone else created, he has to be firing a remote event that kicks the player. You should try adding a table check with the client to see if they are on the table, and if they are, kick the player
This is probably a lack of security on your admin commands and such. Make sure to check that whoever is sending admin remote events is on a table which contains all admins and such. Also check for strange requests for assets that arent in your game that you didnt make, it may be a backdoor.
You have unsecure remoteevents that are allowing the “hacker” (exploiter) to kick everyone from the server. These types of vulnerablities are what “hackers” love best.
Instead of taking reactive measures such as banning you need to make preventive measures by doing server-side validation.
So, it is impossible to kick other players on the client which means that you must have some sort of admin script that kicks players which is pointed out by other people in this forum. I recommend making it so that you have an array of authorised individuals behind who can use admin perms like this
local adminEvent = game.ReplicatedStorage.Remotes.AdminEvent
local admins = {
--your userids here
}
local function onEvent(player, command)
-- check if the player is actually authorised to perform admin commands
--[[
you can even do something like error(`{player.Name} attempted to use an admin command!`)
to catch out people using admin commands since you have a small playerbase and it would be logged in error reports
]]--
if not table.find(admins, player.UserId) then return end
--your admin code here
end
adminEvent.OnServerEvent:Connect(onEvent)