We’ve recently became aware of an exploit that is going on in our game where a player would join the game and be greeted by a fake menu where if they clicked the continue button it would make the user purchase a shirt to scam them out of Robux.
We’re assuming this is a backdoor on our part and cleared our plugins to make sure, altough we’re pretty sure they were fine. We are relatively confident that this is not being caused by a remote event being abused. We then also looked through all the scripts including coregui to look for the following terms: require , luraph, synapse, string. , I , loadstring, getfenv , setfenv, IsStudio and the shirt Id
Few other details:
This is not occuring in all our game serves but only a few.
When I joined the server with this in it I could not access the devconsole could have been cause I wasn’t loaded in fully yet not sure.
We think the gui is in coregui but are not certain about this.
This gui keeps popping up to everyone who joins that server (we assume exploiter was in here)
From player reports this has happened in another game aswell
Does anyone have advice on what other steps we could undertake to resolve this? my apologies if this isn’t the correct channel, just not sure about this
We have checked every script with Ctrl + Shift + F for all those terms and looked through everything for requires if they were legitemate or not and found nothing.
Not checking Ctrl + Shift + F or checking only require, check the scripts themselves. Manually.
It’s possible you have a malicious developer on the team who placed an embedded backdoor. Or maybe you have used a free model with a little extra spice in the mix. Either way, a blanket search is not going to cut it here.
We are only with 2 and I’d bet my right hand on my other developer not being malicious, this is a big game where we both earn devex from this is highly unlikely.
We checked all the named values with ctrl shift F, dont see what the point of opening everyone one is when that checks for those. They have to be requiring something or one of those would have to had show up dont they. But we’ll check everything manually just to be sure.
It actually doesn’t. This only checks for the specific type of attack that assumes that the exploit is trying to run in a separate environment or is requiring from a server or something. It doesn’t check for obfuscated and embedded backdoors. You can easily write a backdoor that allows you to do anything without using any of the keywords that set it off.
When checking manually, make sure you know exactly who and when they wrote the script. Dissect it line by line so you understand what is happening. I have fallen victim to this type of attack before and the solution was just to go back and look at my main scripts.
Would this have been caused by a plugin then, as far as I’m aware models can’t alter scripts right?
But we’re looking manually through every script line by line now, thanks for the advice
This could have indeed been caused by a plugin, even after you remove all of your plugins, this type of attack would persist.
It could’ve also been done by a model depending on what exactly the attack even is (again - we never narrowed it down). I’m not sure what models you’ve used or if you’ve even used any so I can’t tell for certain.
We havent inserted any models and if we insert models we always check them on a seperate empty baseplate first to make sure so I’m doubting its that. It’s probably going to be a plugin but we both havent changed plugins in a long time and it only started happening suddenly so thats why we’re confused aswell. If it was a backdoor why wouldnt it be happening on all the servers for the exploiter to gain maximum profits is another thing I just find strange.
Only code we have from the library is adonis but gonna need a bit more time to go over that and a bezier module which we checked and was fine
This is a list of what I have, we have a slight suspicion it might be the datastore one but I’ve had this for a while and never had this problem before, already deleted it now though, so far found nothing in the code yet but we’re still looking.