Unknown backdoor being loaded

Hey Developers,

I’m a programmer for the popular talent show game, Roblox Talent Show. We recently came across a backdoor being loaded into the game, and this was randomly shown to us as we haven’t been in studio for a while and this just now appeared.

With Roblox adding a way to view what scripts load a module, I thought that would solve the mystery backdoor that popped up in the game. However, it didn’t.

In the attached photo, you can see the “Callstack” which would normally show where the loader for the backdoor is. However, it shows nothing.

Upon this backdoor loading, a bunch of texts spams the server console, assuming to hide the backdoor.

image1114×974 99.8 KB

Does anyone have any solutions to help fix this problem, or has anyone else had this issue before?

Look through every script in your game and see if you can find something you didn’t add.

Maybe try using the search part and searching “Callstack”? Not sure if this works, but I would assume it does.

The interesting thing about this is that I have published the main game to our debug test server, and the backdoor didn’t load in the debug server. It only loads in the main game, which confuses me.

All you can really do is look through your game and scripts for anything you didn’t make.
Try using CRTL+F and typing.

require(6605726967)

But thats really all the advice I can give.
I found the module its requiring but thats basically useless since the code is obfuscated.

I’ve tried the searching method.

I used the following keywords: return(function(), loadstring, require, getfenv, luraph, and some other keywords.

Hey there!

It is really is hard to do anything by just typing here. Would you trust me to go into version of the game and look through it? If I take any assets you can always take action as Roblox TOS states. And you would have all the proof right here on this post.

I have experience with viruses in the past, and have gotten pretty good at removing them.

If it isn’t appearing in the debug test server, maybe it is a plugin?
You can check the contents of the plugin using btroblox.

Do you have a loadstring enabled? Maybe the server you are in has code run by an exploiter to load that backdoor…?

If you don’t want me to have access, I would start at looking where it is requiring the assets, and what the script looks like.

You can do this by running it in studio and searching in scripts while the virus is running. If the virus is not running in studio search for:

if game:GetService("RunService"):IsStudio() then

Did you find anything?
If you’re getting the require callstack then there has to be a require somewhere.
Maybe just try searching for the asset id or the asset id reversed?

Does your game use InsertService at any point?

Press Ctrl+Shift+F and search for “getfenv” without the quotes. If you can’t find anything, search “_G” and then finally “require”.

You can also press Ctrl+Shift+X and search for “Script” to find scripts that you might have not added into your game.

Hold the CTRL+SHIFT+F keys together, this will open up global script search which allows you to search for phrases within all of the scripts which currently exist in the game.

check what the model is, it shows you right there.

You might want to try “byte”. I’ve seen quite a few backdoors using string bytes.

Sorry for late bump, make sure to check and find from each plugins. Ctrl+f require() from every plugin that you have installed, they may be hiding in a private servicie/property. Or just use a hidden backdoor scanner, if that helps you.

Oh, my friend told me it was the :face command where adonis was vulnerable that time, it’s patched now. so no need to worry. if any more further questions, pm me via devfourm