Part spawning & terrain modification exploit

The exploit used below is unlike any other exploits I have seen.
Any ideas on how this could have happened?

Plug-ins have been checked, as well as searched for scripts for getfenv and requires.
Everything looks okay. Still no idea how this happened.

Edit: Spawn parts also inserted to the Workspace.

I don’t believe exploits should be posted here and instead directly to the @DevEngagementTeam. Announcing an exploit could cause others to abuse it, if said exploit is truly an exploit.

This could just be a case of bad security in your game, but there’s not enough information to say that it’s an exploit or it’s the security as all you’ve provided is a screenshot of in-game.

The reason I’m posting it here is because I want feedback from other developers to find out the source of this exploit.

1 Like

Hackers use a server-sided executor which executes scripts like adding parts, bypassing game passes etc.

How does an exploiter have server-sided executor when there are no backdoors?

I don’t really know how this happened with a exploit without it being server sided though.

It may be possible that you added a back door model or plug-in you have.

I spent a lot of time watching people hack and I can see the most used exploit is Synapse.

Server side code injectors (level 7) do not work like this anymore, this was patched a long time ago with FilteringEnabled. The only way this could be caused is either a physics engine exploit, character network exploit (assuming this is an exploit), and finally, an unprotected remote- which is the most likely option.

Your game has to have a backdoor, you must be missing something. Exploiters don’t just randomly find a method to insert terrain and models into your game or else this would be happening in bigger games like Adopt Me.

This could also be a result of your scripts having bad security. Not sure how you’d make something so vulnerable to allow this, but it’s still a possibility. Try searching all scripts for InsertService.

Yeah, I already checked for InsertService and LoadAsset before as well as string manipulations. Nothing comes up.

How would an unprotected remote result in this?

Have you tried searching for loadstring? Also check if loadstrings are enabled in ServerScriptService properties.

My loadstrings are disabled and I already checked scripts for it, nothing comes up.