My game just got exploited, what do I do?

I made a game where player can claim a booth and set up their own signs. I made this game from scratch myself, so I ensured that I used no free models (except admin commands by HD) or any malicious objects.

For some reason, my game was exploited today. Some of the players were being flinged multiple times from the map, and I checked devconsole, nothing showed up in it. My RemoteEvent doesn’t allow for clients to manipulate object positions or anything.

I’d appreciate if anyone could tell me why this happened or if there’s a solution I can use?

Hello! I have just wrote a response with possible solutions of exploit prevention in one of the discussion topics similar to yours. You may read it here.

Hope it helps.

I appreciate your reply. But if you take the time reading my post, you’d understand that the issue is not with currency-related things, which usually involves RemoteEvents. In my case, no player data is being changed. The problem is that the players are being flinged off the map.

There are multiple copies of the HD Admin make sure you know who it was made by and if you think you know check again.

I made sure it was the one by ForeverHD himself.

Like I said check again because some people can just change a letter in the user and then it can look like the user.

My post has a solution to that issue as well. Consider adding certain checks on the positioning of an exploiter. It could come out from that.

Another “suspicious” asset could be:

As @SillyDude_Dev just stated,

I’d recommend making your own admin system based on CMDR. It is safe and pretty much customizable.

I don’t script so I know nothin about this stuff but I know a thing or 2 about this stuff

And I am sure that there is at least 1 free model that has a hidden script in it

Yeah, I was thinking of adding checks. But the exploiter may just pretend to be a normal player and not use exploit on himself. What I know is that he exploited on the other players and I don’t know how to stop that. If you have any ideas of what kind of checks I should add, please let me know.

Pfft. It is impossible. Client script can not change any properties on others, at least it would not work on other players; “victims” will still be able to run/walk and do whatever they want as a normal player, unless you have a backdoor, which is usually coming from free models and/or developers who purposely implement those.

If I may Can I see the game? I want to see something.

No? That’s is not applicable, being as the username doesn’t consist of the letter I or L.

Think before you make further posts.

I am saying all the possibilities that could have led to this “Exploit” person getting access to exploit.

PhysicsService | Roblox Creator Documentation should answer your issue.
More information will be listed here: Detecting Collisions | Roblox Creator Documentation

This will prevent players from colliding with other players.

If I were you I wouldn’t check local logs, exploit logs and dev console because most times they can make exploit that are traceless or look like a ordinary script event but it really the exploit running.

try checking plugins if they are the original and not cloned and has viruses. Maybe do something like cloning everything you need again when a game starts.

Like clone all remote events and delete the old ones using a script

Yeah that to… People can have plugin that plug their scripts into your scripts then they can access your server side stuff. I am pretty sure there is another post about plugin viruses around the forum some where since I seen a trend in that stuff lately.

how about cloning remotes and deleting old one when player joins and game/server starts? Unlikely but worth a try if you haven’t

Please read ^^.

Impossible? I’m not sure if you’re unaware or blind to the fact that the exploit happened, it affected multiple users. I made all the scripts in the game, both server scripts and clientside scripts, with the exception of HD admin command.

@EncodedXML I’m not sure what you mean by PhysicsService could be the solution? Can you explain?

@MR_Enforcement If not, then what I should check?

@not_1yo I checked plugins, but they all seem to be safe and made by renowned users (yes, I double checked by going to the creator’s profile).

@not1_yo The RemoteEvents are made through server script, so it’s fresh brand new every time a server starts. But even then, I don’t understand how Remote Events could allow exploiter to fling players?