Scam Exploit ! (help on how to resolve?)

Hello,

We’ve recently became aware of an exploit that is going on in our game where a player would join the game and be greeted by a fake menu where if they clicked the continue button it would make the user purchase a shirt to scam them out of Robux.

image1249×637 15.9 KB

We’re assuming this is a backdoor on our part and cleared our plugins to make sure, altough we’re pretty sure they were fine. We are relatively confident that this is not being caused by a remote event being abused. We then also looked through all the scripts including coregui to look for the following terms: require , luraph, synapse, string. , I , loadstring, getfenv , setfenv, IsStudio and the shirt Id

Few other details:

• This is not occuring in all our game serves but only a few.
• When I joined the server with this in it I could not access the devconsole could have been cause I wasn’t loaded in fully yet not sure.
• We think the gui is in coregui but are not certain about this.
• This gui keeps popping up to everyone who joins that server (we assume exploiter was in here)
• From player reports this has happened in another game aswell

Does anyone have advice on what other steps we could undertake to resolve this?
my apologies if this isn’t the correct channel, just not sure about this

First thing you should do right now is set Workspace.AllowThirdPartySales to false. Let’s just get that over with.

Well you will probably want to search every script you have. Look for ones that are not yours or models that aren’t yours.

Next, it’s probably not in coregui if it appears in game.

You can access the devconsole in a really wide variety of scenarios. Wait until you actually load in before trying it.

We have checked every script with Ctrl + Shift + F for all those terms and looked through everything for requires if they were legitemate or not and found nothing.

Checked in game settings aswell and there it was on but in workspace it was off, disabled it for sure now.

Not checking Ctrl + Shift + F or checking only require, check the scripts themselves. Manually.

It’s possible you have a malicious developer on the team who placed an embedded backdoor. Or maybe you have used a free model with a little extra spice in the mix. Either way, a blanket search is not going to cut it here.

Interesting.

Do you have any type of anti-exploit in your game?

Also what is your game name? I’ll see if I can run some of my diagnostics on the client side to see if I can get some info.

We are only with 2 and I’d bet my right hand on my other developer not being malicious, this is a big game where we both earn devex from this is highly unlikely.

We checked all the named values with ctrl shift F, dont see what the point of opening everyone one is when that checks for those. They have to be requiring something or one of those would have to had show up dont they. But we’ll check everything manually just to be sure.

game

We have anti exploit but its just basic stuff we coded ourselves we didnt import any “anti exploits”

My game also has this, any solution yet?

No not yet, but can I ask what plugins you have used maybe we had some in common

It actually doesn’t. This only checks for the specific type of attack that assumes that the exploit is trying to run in a separate environment or is requiring from a server or something. It doesn’t check for obfuscated and embedded backdoors. You can easily write a backdoor that allows you to do anything without using any of the keywords that set it off.

When checking manually, make sure you know exactly who and when they wrote the script. Dissect it line by line so you understand what is happening. I have fallen victim to this type of attack before and the solution was just to go back and look at my main scripts.

Would this have been caused by a plugin then, as far as I’m aware models can’t alter scripts right?
But we’re looking manually through every script line by line now, thanks for the advice

I saw some powerful backdoors that are able to interact with the game on studio, and put,delete stuff. Not sure about that tho.

This could have indeed been caused by a plugin, even after you remove all of your plugins, this type of attack would persist.

It could’ve also been done by a model depending on what exactly the attack even is (again - we never narrowed it down). I’m not sure what models you’ve used or if you’ve even used any so I can’t tell for certain.

Would you mind telling us what plugins you used? I think @SSSpencer413 is right about it being a plugin.

We havent inserted any models and if we insert models we always check them on a seperate empty baseplate first to make sure so I’m doubting its that. It’s probably going to be a plugin but we both havent changed plugins in a long time and it only started happening suddenly so thats why we’re confused aswell. If it was a backdoor why wouldnt it be happening on all the servers for the exploiter to gain maximum profits is another thing I just find strange.

Only code we have from the library is adonis but gonna need a bit more time to go over that and a bezier module which we checked and was fine

image594×1291 104 KB

This is a list of what I have, we have a slight suspicion it might be the datastore one but I’ve had this for a while and never had this problem before, already deleted it now though, so far found nothing in the code yet but we’re still looking.

It might be the DataStore Editor plugin since the official one was created by sleitnick. (Post)

The datastore editor is a little bit sketchy because:

1. Like @HugeCoolboy2007 said, the original one was created by another user
2. The item is not on sale
3. The YouTube video linked in its description is private
4. The “logo” of the datastore plugin that you are using is a regular cylinder part in studio