Hello, I’m confused as to why i’ve been finding a random script in serverscript service. It’s obfuscated, so I can’t read it. I’m worried it’s a virus made by a plugin i found. I already have tried deleting it but it keeps coming back. Here’s the code.
Can you screenshot the plugins you have installed, and provide links to each one?
I’ve seen this before, found a similar issue with a game my friend was working on
Press Ctrl + Shift + F and search for “require”
Chances are there’s some random script hidden somewhere that’s inserting this script into your game
It might be labeled as an “anti-virus” or smth
If you can’t find anything then like konlon said it’s probably a plugin
It’s a lot of plugins. I’m going to remove them soon though. I am starting to suspect Low Poly Terrain Maker (the icon with the green island…) as the developer doesn’t match the one I saw on the website, so it might be a malicious duplicate.
Later on when I have some time, I’m going to follow the tips in this tutorial: Clearing your game of malicious scripts, plugins, and backdoors
To try to locate and remove the issue.
Screenshots:
https://gyazo.com/2f652db9f6a065e2d93248d3ddfe861b
https://gyazo.com/3a725f99af2cb778e6731c193a0f8962
https://gyazo.com/4ff3d4a69a6fb474f982fccef0fccc44
https://gyazo.com/47e30934e4499dee9d8b26e1069232d2
https://gyazo.com/55652288491439a800d02341131eb98d
@Vatikya Thanks, I tried that. There’s nothing that’s using a module so I’m guessing it’s a plugin as one of the plugins looks fishy.
That is Luraph obfuscation. AKA, exploit. Disable every single one of your plugins. Restart Studio. Remove the script. Enable a plugin and reload the place with each plugin. Once that script appears again, blast the offending plugin into orbit and report it. Keep going until you’ve gone through all of your plugins, there may be more than one.
This is tedious but it’s the only way to be sure.
Additionally you should go to ServerScriptService and DISABLE loadstring, once all of your plugins have been confirmed to not contain the malicious code.
Thank you so much. I’ll try this!
Edit: Did the exploit insert something into my game that keeps replicating the script?
I’m hoping that it didn’t lol
The reason you restart the place after every plugin uninstall is because plugins can install code in Studio that persists even after it’s uninstalled. But no, places on their own cannot run code in Edit mode, it has to be a plugin. And once you reload the place, no code persists from the old place.
Sorry, i’m posting so much questions,
Is there a way I can know if the plugin has put a hidden malicious script. I’ve heard of scripts not showing up but still being there. Would this tutorial be a good place to start if I notice weird things in my game? Clearing your game of malicious scripts, plugins, and backdoors
You know where the script is (ServerScriptService). Add plugins one by one so you know which one is inserting the script into ServerScriptService. Follow the instructions correctly and you will find the culprit.
That tutorial would be a good place to start if you still think your place is infected after removing the malicious plugin.
Okay thank you, I will do this and report back.
Yeah I’d remove the one whose creator’s name is “RobloxTopPlugins”, looks like a script kiddie anyway: https://www.roblox.com/users/1444562826/profile
That type of username is common with exploiters who want to make their stuff appear “official”
Thanks, apparently it’s a copy of a low poly terrain generator made by a different user. I actually think that is the exploit, so I’ll try to see if it’s causing the script to re-appear
If the backdoor goes away, make sure to go into every place and remove it…
I’m curious, what exactly does Luraph do? Just steal games or something else?
Luraph is an injector. Like most injectors, it has its own obfuscation method. Like Synapse Xen.
You can spot it easily because the long obfuscated string starts with LPH|
.
I did this and found the issue was with the low poly terrain generator. I suspected it all along, but I never actually restarted studio.
Thanks @Blokav for suggesting for me to remove it first.
Apparently there’s a deobfuscator on github, but I don’t know how to run it (i think i have to use repl.it)
If anyone’s curious: GitHub - xgladius/luraphStringDeobfusactor: Deobfuscates luraph strings [outdated]
If anyone’s willing to try to decode it go ahead, I’d love to see what the code actually does lol
This is very annoying if it happens, a backdoor virus. i had to check every part in my game and find some scripts that were called Welding and debounce. After deleting those scripts i got rid of it. Ofc i uninstalled all plugins also.
Is Luraph (The Discord Bot that obfuscates) an exploit? Should I not use it to “protect” my scripts from rebranders…?