Hi all.
As of recent, my scripter and I have noticed these strange scripts in Workspace for a game we’re developing, and we have no idea what they are or mean. After some research and contact with my other developer friends, I’ve heard they’re malicious scripts spawned from the use of specific plugins?
I came here to know exactly what my scripter and I are dealing with, and how we can resolve this problem.
I myself don’t use plugins as I’m the creative for this project, and direct most of the creative aspects of the game such as the UI.
My scripter, however, uses plugins somewhat avidly, and I aim to find out what plugins (if plugins are the cause of this issue) are causing this problem.
Here's the list of all the plugins my scripter uses:
The plugins that are the potential cause of the problem will of course not be used by the scripter anymore, so if anyone knows for certain what ones are safe and what ones aren’t, it’d be appreciated if you’d let me know!
Apologies in advance if this thread hasn’t been posted it an appropriate category, I’m still finding my way around the DevForum
It’s the class converter. The guy basically just reuploaded Quenty’s classconverter and removed the credits and changed the logo.
It has this “SETTINGS” script which inserts those backdoor scripts.
Delete the plugin first, and then the scripts so they don’t come back. You can replace that plugin with the original (Quenty’s) or with a few others (I personally use Reclass)
Just remember not to use plugins from the library if you can, try to use ones found on the DevForum.
Alright, thank you for the informative response, I will pass it onto the scripter.
I have one question though, what do these backdoor scripts do? What does the owner of these scripts get out of it?
I actually had a similar problem this morning. A plugin that I downloaded carelessly injected some scripts into my place and was trying to use HttpService to import a private module I think. I don’t remember what it was trying to do. It has probably injected a script into a hidden service that you cant see in the explorer. The way I identified the hidden scripts was by running this code in the command bar
for x, object in ipairs(game:GetDescendants()) do
pcall(function()
if object.ClassName == "Script" then
print(object.Name.." Parented to: "..object.Parent.Name)
end
end)
end
I examinded the names of all the scripts that it printed in the output. If there was any name that had weird characters like that in it then I just ran that code above again but instead of printing the name I made it delete the scripts with the weird names. Hope this helps!
Its a real shame that for all the goodness of having a sharing, helpful group of developers we don’t have a ‘safe’ way of sharing what we have so those using whats sharded don’t get bitten.
A repository of Certified items would help with this and maybe better than doing a search of the DevForum to find a safe shared item.
‘rant over’
Developers can easily create repositories of plugins or share them via Learning Resources (the category for cool shared stuff) and even without the DevForum as a medium. The issue isn’t particularly complicated to be frank.
The main issue affecting developers, despite all Roblox does to try and combat bad actors, is that they aren’t helping themselves by checking the profiles or credibility of the users. A quick look at a profile is worth a lot, over blindly installing a plugin and spending an abundance of time wondering why your game is acting funny later. To top that off, asking the same question several times over on the DevForum.
There is more Roblox could be doing to combat this - they need to implement some form of basic monitoring for their plugin library. The fact an account can be made today, and immediately get to the front page of plugins is truly ridiculous.
I feel you’re placing too much blame on the user, Roblox holds some responsibility to removing abuse of their system. You’re not telling me a company as huge as Roblox cannot design an algorithm to detect such obvious abuse as what is going on right now.
His account was only made 3 days ago, yet it has over SIX plugins that are on the front-page, furthermore they are actually performing better than the original plugin which has way more downloads and favorites.
Roblox need to do more towards detection and removal of these bots, period.
Staff are doing the most they can to combat the bot issue whenever they can, wherever they can. Keep that in mind. Not every solution is as easy as it sounds.
I am putting blame on developers specifically because they have a weight in on this. While Roblox has a moderation team which needs to moderate hundreds of thousands of assets, developers are also responsible for vetting the tools they’re installing. You willingly trust another user’s code by installing a plugin and you can’t say you aren’t at fault if you don’t take the time to verify or clean your tools. That doesn’t make it solely the fault of Roblox for trying to fight an on-going fight that plagues lots (bots are not an uncommon thing to have, Roblox or not).
Furthermore, as a community member, instead of complaining about these kinds of plugins in a thread where it doesn’t matter, you need to actually help moderation by reporting the asset in question. They can’t moderate every single asset and an algorithm isn’t always reliable.
If you’d like to continue conversation, feel free to DM me. Discussion moderation practices is not the purpose of this thread.
I wont prolong it, but you missed my point. I was saying a system should be developed to automatically prevent the obvious issue of bots making it onto the front page. With the large entity that Roblox is they could invest into automatically removing bots. A machine could easily determine that a plugin with 0 favorites, thousands of downloads by an account made 3 days ago; is likely a bad actor. And I wasn’t taking all the blame away from the developers or complaining, just giving an alternative view to your stance.
It wont fix it all, but it will sure as hell prevent a lot more people from having back-doors placed inside of their game due to easily detectable bots plaguing the front page.
That’s what roblox had in mind when removing private modules, but did it work? Well, not really.
You see if someone is desperate, they can just obfuscate their backdoor’s source and insert that as new Scripts in workspace using a malicious plugin. No InsertService or require involved.
The only thing that removing private modules did is making it so malicious plugin devs just encrypt their code so much it’s nearly impossible to decrypt.
