Potential Backdoor or FE Bypass

I have no idea if this is where I’m supposed to be making this post but I will digress. Me and my fellow devs are in a bit of a pickle. We run a highly profitable game that we all use as a full time job, our livelihoods literally depend on this game. We have been the target of some form of exploit attack that started today, and I’ve never encountered stuff like this before.

Entire sections of our map started getting deleted across all our servers, in some servers the entire map was gone. We have scanned through our game for backdoors in the past due to a previous issue but we didn’t find anything. We thought the issue came from HD Admin so we deleted it and replaced it with our own custom admin script. The issue only presented itself today, this hasn’t happened in the past.

Reverting to the last update didn’t fix the issue either, so if it is a backdoor, it wasn’t added between the current and last update. I am not a programmer so there’s not a whole lot I can do. I am waiting for our head programmer to get online. In the meantime, does anybody have any idea what this is or how to fix it?

EDIT: The game is currently privated because the issue was that bad, had no other choice but to shutdown the game.




1 Like

Could potentially be a backdoor honestly. You should try going in Studio and trying to do CTRL+SHIFT+F and search for ‘require’, as well as 'eriuqer` (I’ve seen people use string.reverse to specifically counteract people searching for requires.) You could also use a pretty reliable plugin known as ‘Server Defender’ which can be used to search for other specific things exploits might use.

There could also be a chance that someone is messing with some remotes, although unlikely. I would assume you don’t have server sided code that is accessible via remotes to delete portions of the map, though. Do you have any tools accessible by remotes that could potential cause this?

3 Likes

We have a lot of require in the game, like 670 results, but it is for gameplay purposes as some of our essential scripts use it. All of our remotes should be protected, we are very cautious when it comes to plugins and shit so this is just unbelievable. The previous issue was some UI thing flashed in all servers telling people to go to a site for free Robux. We reverted and removed the HD Admin and that never occurred again. The programmers went through and looked for backdoors and shit during that time and they found nothing except for the admin script to be a potential cause.

Are there any ones that are out of place; specifically freemodels?

1 Like

one piece of advice, pls find a stable source of income by getting an actual job because in short, roblox is not a stable form of income

with that out of the way first, you have to narrow things down
list down all the things of how a client could be ordering the server to do their bidding

dont leave these out

option A: remoteEvent
  --option A is clearly out of the question unless you have a remote event that can invoke a similar 
  --behavior as "Entire sections of our map started getting deleted across all our servers" if the 
  --the remote event was provided with information that large of a scale
option B: by passing fitler enabled
  --this doesnt seem to be very likely as if it did happened
  --some dumb exploiter will leak it to the public to inform roblox to add more security unless corruption 
  --gets the best of roblox which i hope it doesnt happen
option C: a backdoor cheat
  --you said "Entire sections of our map started getting deleted across all our servers" and a backdoor 
  --cheat has the ability to do that so it means that this is VERY likely and that means if you think theres 
  --not a back door then there is a backdoor hack hidden somewhere.
  --and if its hiding from your sight, you better start thinking of where they could have hid it
  --maybe try and exploit other peoples games so you'd have the experience to protect your own game 
  --and be able to narrow down backdoor hacks like this better

so now we know its option C thats most likely the case and we have proof to back it up and that proof is the scale of the destruction

destruction means the exploiter is using a “:Destroy” function or, “:Remove” function, or “referencedPart.Parent = nil”

which means that any scripts using these functions and setting parents to nil could be the backdoor

1 Like

We do not use free models. Everything in our game is custom.

1 Like

Then you probably accidentally opened up a backdoor for the exploiters. What scripts use :Destroy()?

1 Like

:destroy could be obfuscated, Is load string enable?

1 Like

We have a bunch of scripts that use destroy, most of them look legit though. There’s too many to sort through and I’m not 100% sure what I’m looking for.

It may not just be :Destroy, I’ve seen some backdoors that want to destroy maps use .Parent = nil to try avoiding detection, so try looking for that as well. Not much else I can think of adding to this, sorry.

1 Like

Alright when our programmers get online I’ll make sure they check in here for potential fixes. Thank you.

Any chance the objects are meshes that got moderated and/or didn’t load? Are you using InsertService for your maps or in some way inserting the assets through a HTTP request?

Are these requiring instances in-game? If so (you aren’t looking for an asset in the library), try searching for “require(1”, “require(2” etc. Chances are the person who made the backdoor will have stored require to a variable and called it some other way but people who do make backdoors tend to be idiots.

Ctrl+shift+f the following terms:
= require
getfenv
Try running this in the command line, it should look for scripts that contain “= require” with any whitespace character after for scripts that are storing require to a variable.

for i,v in pairs(game:GetDescendants()) do 
    pcall(function() 
        if v.Source:lower():match('= require%s') then 
            print(v:GetFullName()) 
        end 
    end) 
end

Sometimes backdoors will check if the game is being run in studio, use an explorer like dex to view your game’s explorer at runtime, think HD or kohl’s has an explorer, there might be one in the toolbox (although ensure you’re getting the official version because you don’t want another backdoor).
Search for “\” to check for scripts that are using code points or whatever they’re called
Check for unauthorized InsertService usage

In most cases, backdoors will use getfenv to get access to the functions without explicitly stating them (getfenv()[whatever the codepoint thing for require is]), however I don’t think there’s a way to getfenv() without explicitly typing out getfenv in plain text (aside from loadstring which is a red flag in and of itself).

Get whoever has team create access to check their plugins out, if there’s a plugin that looks suspicious (low sales/likes/favourites/creator has few followers, is a bacon hair etc), use InsertService to insert its source code into a blank baseplate or something and examine it, check for things that are being inserted as well as access to scripts’ sources. If the plugin presents a red flag then get them to remove it.

You also mention that it’s deleted in all servers so try listing DataStores and look for and remove any data that wasn’t implemented by you or another developer (DataStoreService:ListDataStoresAsync). Also try looking for unauthorized use of HTTPService and MessagingService.

Good luck :+1:

2 Likes

First: Check all scripts, don’t care how long it’ll take, probably divide them among groups, think, what is worth more, your game, or your time in this case, check for requires, or, try scrolling the script left and right, see if anything is hidden.

Second: (Really first), disable and plugins you have, and verify they are safe
Third: You really should get a real job, and dont treat Roblox as full time, not safe in the long run, do it as a hobby.

1 Like

I know it’s not safe in the long run, I do not have access to work right now due to living in a very small rural farming town and we make too much money for this to be considered a hobby. This is my job for now whether I like it or not.

I have no plugins and every other dev has already been instructed to delete all their plugins, but none of them should have anything shady as they’re all very intelligent individuals who value the security of our game.

First, if it is a back door than it most likely came from a free model plug-in, and since you’ve already stated you don’t use free models; it’s most likely a plug-in that will inject a backdoor into your scripts while still functioning as a regular plug-in.

Like everyone else has suggested, use the global search tool and search for the terms: Require, Getfenv, Setfenv, Loadstring, stuff like that. Also try using a trusted virus scanner plug-in if your first search yields no results.

Second, if you spend hours searching for a back door and you don’t find one, it’s probably not a backdoor. It could be a remote event vulnerability, so make sure to triple check that the client has little to no influence on the server through remote events. It could also just be a (severe) bug. I’ve had instances where I thought my games where infected, but it turns out I was just incompetent.

Lastly, as a side note:

Yes it can be hard to make money off Roblox, but it’s not impossible, lots of people develop on Roblox as a full time position. You just have to acknowledge that it’s not like a conventional job. It’s fully up to you and your team to maintain a stable income.

4 Likes

This is most likely an exploit where the user can delete maps (which are probably in ReplicatedStorage.) I’d recommend changing the map location asap, and finding another way to access it.

Remember: Never trust the client.

I know you hear that basically 24/7, but trust me. You giving the client access to maps just to make spawning a map easier for you will cause you to shut down the game and lose money.

Now of course, I’m assuming the maps are in ReplicatedStorage. While a plugin/backdoor could be the cause, it’s very bold that the plugin/backdoor would know exactly where your maps are located, and what parts to delete. And aye, who knows, maybe one of your developers did this?

Anyway, that’s my input on this dilemma, hopefully you found this useful! :grin:

1 Like

One of our developers is now online and is now going through all our scripts using the information provided here. Thank you. I will update when I have more information.

ReplicatedStorage doesn’t replicate actions done by the client to the server, only server to client actions are allowed by the networking model

1 Like

Currently going through all scripts. We have checked require, destroy, and remove. Nothing shady so far.

Game has been open for an hour or so now, nothing has happened yet. I believe the exploiter is asleep or away at the moment.

Any scripts that have strange characters or bytecode? (I usually search up \0 to find bytecode.) It might be an obfuscated script.

1 Like