Question about exploits

Hello,

Recently some exploiters were disrupting my game, specially with teleportation. I know that the player has complete ownership over their own character, but that was not the case. The exploiter teleported other players in the game and also could move his inventory items to other players inventory.
In resume, he teleported normal players of my game to his (exploiter) position and gave his tools (the tools the exploiter had on his inventory, normal game tools) to normal players.

I’m wondering if this is a security vulnerability on my game of if there are exploits capable of doing this.
Then my question is: Can exploiters teleport other players and give tools to other players?

5 Likes

Sounds like you have yourself a server sided backdoor. Check for some untrustworthy plugins, make sure that they are by the real creators and I HIGHLY suggest to not use freemodels as they contain server sided backdoors.

4 Likes

As far as I know, I believe you don’t have FilteringEnabled on(Ex. Mode on) and that exploiters only can give other players tools via admin commands. I have before exploited myself on alts and I couldn’t give other players tools nor could I teleport others, but just could ruin the game.

As SpacePuppy2 stated, you might have a backdoor in your game. Remove ALL unknown plugins, and renew the actual game itself. Try copying other models and block by block assembling a new, non-free-modeled model. Check for scripts as well, they also might contain any backdoors or scripts which give other players advantage of others.

1 Like

Filtering has always been enabled on my game. That isn’t the issue. The only script in the game that I’m aware of being capable of teleporting and giving items is the admin system (Basic Admin Essentials).

My game is currently being completely re-created, so if there is any hopefully they will be gone. Any special things that I should search on scripts besides require(n)?

And about the plugins, when removing them if the issue was one of the plugins, will the backdoor be gone as well or do I need to enable hidden items and inspect for possible backdoors on the Core Services?

You need to delete the backdoor as well, even if you remove the plugin.

That property does nothing anymore, all it does is cause confusion. I’m shocked it hasn’t been removed yet as it literally is a doormant property that does nothing.

1 Like

You can’t turn filteringEnabled OFF in the first place. It’s a useless checkbox which is going to sunset soon.

getfenv() and setfenv() are exploits used by RoSync, a known backdoor.
My games are also infected with a backdoor script which gives out “Creator”. It was on my old games and I can’t get it out and I’m too lazy to find it(?) - but again, it stays if I don’t remove it.

Remove them and see if your other games are infected as well.

1 Like

Good, let it stay like that. I remember when you’ve could remove it - oh it was pure torture.

1 Like

Yes indeed SpacePuppy2. But what if you can’t find it? Some people in a group made backdoored scripts banning me from the game and associated accounts and they’ve had to search all day long. But hey, you have a point.


@VinBR205

You can enable this property in studio settings:
image

It’ll help you find the backdoor a little easier.

4 Likes

Just searched on all scripts using CTRL + SHIFT + F for getfenv and setfenv, the only scripts that use getfenv is F3X Building Tools and the Handless Segway. I don’t think a backdoor could be on BTools but maybe on the segway. Both of them also requires external scripts with an ID.

No scripts are using setfenv though.

Most likely it was a Roblox security issue, not a backdoor in my game. But I will keep searching and ensure that no backdoors are present in the new version of my game.

Thanks everyone for the help and tips!

I don’t have the solution, but I can tell you that the problem is not just in your game, I’ve seen a lot of hackers in murder mystery 2 teleporting and giving tools to other players.

You can try searching all scripts with regex on require\([^.\)]*\). This will search all requires without a “.” in their brackets


Btw regex is the third option in the search all window
image

1 Like

You MUST have a backdoor if you only have BAE. I assume that your BAE model is infected or you have something hidden in InsertService or JointsService that you cannot access due to you having them hidden. Your best bet is looking for require and env using CTRL + SHIFT + F

There are no security flaws that allow full-on teleportation and serversided tool giving on Roblox.