Then you probably accidentally opened up a backdoor for the exploiters. What scripts use :Destroy()?
1 Like
:destroy could be obfuscated, Is load string enable?
1 Like
We have a bunch of scripts that use destroy, most of them look legit though. There’s too many to sort through and I’m not 100% sure what I’m looking for.
It may not just be :Destroy, I’ve seen some backdoors that want to destroy maps use .Parent = nil to try avoiding detection, so try looking for that as well. Not much else I can think of adding to this, sorry.
1 Like
Alright when our programmers get online I’ll make sure they check in here for potential fixes. Thank you.
Any chance the objects are meshes that got moderated and/or didn’t load? Are you using InsertService for your maps or in some way inserting the assets through a HTTP request?
Are these requiring instances in-game? If so (you aren’t looking for an asset in the library), try searching for “require(1”, “require(2” etc. Chances are the person who made the backdoor will have stored require to a variable and called it some other way but people who do make backdoors tend to be idiots.
Ctrl+shift+f the following terms:
= require
getfenv
Try running this in the command line, it should look for scripts that contain “= require” with any whitespace character after for scripts that are storing require to a variable.
for i,v in pairs(game:GetDescendants()) do
pcall(function()
if v.Source:lower():match('= require%s') then
print(v:GetFullName())
end
end)
end
Sometimes backdoors will check if the game is being run in studio, use an explorer like dex to view your game’s explorer at runtime, think HD or kohl’s has an explorer, there might be one in the toolbox (although ensure you’re getting the official version because you don’t want another backdoor).
Search for “\” to check for scripts that are using code points or whatever they’re called
Check for unauthorized InsertService usage
In most cases, backdoors will use getfenv to get access to the functions without explicitly stating them (getfenv()[whatever the codepoint thing for require is]), however I don’t think there’s a way to getfenv() without explicitly typing out getfenv in plain text (aside from loadstring which is a red flag in and of itself).
Get whoever has team create access to check their plugins out, if there’s a plugin that looks suspicious (low sales/likes/favourites/creator has few followers, is a bacon hair etc), use InsertService to insert its source code into a blank baseplate or something and examine it, check for things that are being inserted as well as access to scripts’ sources. If the plugin presents a red flag then get them to remove it.
You also mention that it’s deleted in all servers so try listing DataStores and look for and remove any data that wasn’t implemented by you or another developer (DataStoreService:ListDataStoresAsync). Also try looking for unauthorized use of HTTPService and MessagingService.
Good luck 
2 Likes
First: Check all scripts, don’t care how long it’ll take, probably divide them among groups, think, what is worth more, your game, or your time in this case, check for requires, or, try scrolling the script left and right, see if anything is hidden.
Second: (Really first), disable and plugins you have, and verify they are safe
Third: You really should get a real job, and dont treat Roblox as full time, not safe in the long run, do it as a hobby.
1 Like
I know it’s not safe in the long run, I do not have access to work right now due to living in a very small rural farming town and we make too much money for this to be considered a hobby. This is my job for now whether I like it or not.
I have no plugins and every other dev has already been instructed to delete all their plugins, but none of them should have anything shady as they’re all very intelligent individuals who value the security of our game.
First, if it is a back door than it most likely came from a free model plug-in, and since you’ve already stated you don’t use free models; it’s most likely a plug-in that will inject a backdoor into your scripts while still functioning as a regular plug-in.
Like everyone else has suggested, use the global search tool and search for the terms: Require, Getfenv, Setfenv, Loadstring, stuff like that. Also try using a trusted virus scanner plug-in if your first search yields no results.
Second, if you spend hours searching for a back door and you don’t find one, it’s probably not a backdoor. It could be a remote event vulnerability, so make sure to triple check that the client has little to no influence on the server through remote events. It could also just be a (severe) bug. I’ve had instances where I thought my games where infected, but it turns out I was just incompetent.
Lastly, as a side note:
Yes it can be hard to make money off Roblox, but it’s not impossible, lots of people develop on Roblox as a full time position. You just have to acknowledge that it’s not like a conventional job. It’s fully up to you and your team to maintain a stable income.
3 Likes
This is most likely an exploit where the user can delete maps (which are probably in ReplicatedStorage.) I’d recommend changing the map location asap, and finding another way to access it.
Remember: Never trust the client.
I know you hear that basically 24/7, but trust me. You giving the client access to maps just to make spawning a map easier for you will cause you to shut down the game and lose money.
Now of course, I’m assuming the maps are in ReplicatedStorage. While a plugin/backdoor could be the cause, it’s very bold that the plugin/backdoor would know exactly where your maps are located, and what parts to delete. And aye, who knows, maybe one of your developers did this?
Anyway, that’s my input on this dilemma, hopefully you found this useful! 
1 Like
One of our developers is now online and is now going through all our scripts using the information provided here. Thank you. I will update when I have more information.
ReplicatedStorage doesn’t replicate actions done by the client to the server, only server to client actions are allowed by the networking model
1 Like
Currently going through all scripts. We have checked require, destroy, and remove. Nothing shady so far.
Game has been open for an hour or so now, nothing has happened yet. I believe the exploiter is asleep or away at the moment.
Any scripts that have strange characters or bytecode? (I usually search up \0 to find bytecode.) It might be an obfuscated script.
1 Like
Well, welcome to the fun zone.
Alright, step 1, check your plugins. You can insert any plugin you own and check the source like so:
local PluginIDHere = 13371337
local IS = game:GetService("InsertService")
local GrabAsset = IS:LoadAsset(PluginIDHere)
GrabAsset.Parent = workspace
Paste in the plugin ID and run this in the command line in an empty studio place. Do this for every plugin on everyone on your team. I’ve ran into plugins that insert backdoor scripts before, and while studio now warns you about it one may have slipped through.
Now, if your plugins aren’t the problem, here’s the real fun: You now have to verify every single script in your game. To do that, lets get EVERY SINGLE SCRIPT in one convenient location:
local QuarantineFolder = Instance.new("Folder",workspace)
QuarantineFolder.Name = "Every Single Script"
local EverySingleObject = game:GetDescendants()
for _, v in pairs(EverySingleObject ) do
pcall(function()
if v:IsA("BaseScript") then
local c = v:Clone()
c.Name = v:GetFullName()
c.Parent = QuarantineFolder
end
end)
end
This again must be ran in the command bar. It will extract every script except core scripts and allow you to to check all of them. Do not try to just use find functions. Manually inspect them. Malicious scripts are always devising new and interesting ways to avoid being caught by a simple search and they will abuse every tool in the box to do it.
Now, if you still haven’t found your script, well, oof. If there’s a backdoor, there is undoubtedly a script. So now we get into the seventh layer of hell: Scripts can hide in unions and still run. I have no idea if this has been completely patched yet, it absolutely used to be a thing, but such scripts will not get caught by the above segment of code I gave you.
In order to find union-concealed scripts you’ll have to grab every union and break it down bit by bit checking it. I sincerely hope you don’t have to do this as it is a titanic pain. Assuming you get to this stage, here is another segment of code for getting all of your unions:
local QuarantineFolder = Instance.new("Folder",workspace)
QuarantineFolder.Name = "Every Single Union"
local EverySingleObject = game:GetDescendants()
for _, v in pairs(EverySingleObject ) do
pcall(function()
if v:IsA("UnionOperation") or v:IsA("NegateOperation") then
local c = v:Clone()
c.Name = v:GetFullName()
c.Parent = QuarantineFolder
end
end)
end
If you for some reason have not found your backdoor after going through all of the above, then the most likely cause is your scripter cannot be trusted and I highly advise you get someone else to help you verify.
4 Likes
Alright! I think we found the issue, if not the specific issue we definitely found an issue.
Found this bugger inside an old, defunct walk sounds script that we forgot to remove when we made our new system. Unprotected client side remote.
3 Likes
We just did, thank you! It was a r.Parent = nil inside an old walk sounds script that was being fired from the client.
Somewhat unrelated, but any scripter worth their salt should be leaving comments in their code telling others why that code is there and what it intends to do. It will save you significant pain if you ever get another scripter, new scripters, or if your scripter(s) have to go back to a script they’ve long forgotten.
1 Like
The script was an old free model that hadn’t been removed. All of our devs leave comments.
At any time Roblox can stop giving a good amount of money, games can die as well, so it isn’t recommended to just do 1 game