V2.1 - Plugin: Hidden Backdoor/Infection Script Detector (Detects/Removes infections from malicious plugins)

Did some searching of my plugins. It seems I installed a duplicate version of a plugin from a user named " djjagger". Searching the source code for the plugin he “made” shows that it’s a duplicate copy of the legitimate version of the same plugin except with a mess of obfuscated code toward the bottom, which I presume hides a backdoor.

Thought I’d mention this to you and to anyone else who’s reading through this thread to check their plugins and see if they’re made by this guy or anyone else who seems suspicious.

My friend tells me this djjagger fellow also got a WoT mod banned for having a keylogger inside of it. Hmmm…

1 Like

Should I use it?

  • Use it
  • Do not use it

0 voters

:stuck_out_tongue:

1 Like

Even though I have been very cautious about this, this will be useful for people who were not-so-cautious about this. I always check the favorites, if it has little to no favorites but a lot of sales I know it’s been botted and could be a hidden backdoor or an infection script.

1 Like

Absolutely love this. thank you

Thank you for this plugin!

1 Like

V2.1.0 is now released! The plugin will notify users if they own a known malicious plugin as well as list the original plugin’s ID if known.

If you have found a malicious plugin that isn’t already in the known malicious plugins table then please make a post to the megathread so that I may add it to the list. (Preferably with a link to the original non-malicious plugin as well.)

1 Like

The plugin seems like a neat anti-virus plugin.

1 Like

Out of curiosity is this searching for rogue Backpacks and PlayerGuis?

Atm yes, if there is a Backpack or PlayerGui instance inside of any RL script context level 6 service then it will flag the backpack/playergui instance as an infection. If the area is not RL level 6 then it will scan all script/localscript/modulescript’s sources for any known infection code. This way developers can use backpacks without issue anywhere in their game (except in those RL level 6 areas that they shouldn’t be messing with in the first place.)

3 Likes

Alright rad.

Decided to see if this plugin worked, I didn’t even think the place I was in had any viruses until it scanned and returned 300 infected instances, thank-you so much for this plugin!

2 Likes

I’ve always used this single line for backdoor detection. :stuck_out_tongue:
for _, x in pairs(game:GetDescendants()) do pcall(function() if x:IsA("Script") then if string.match(x.Source, "require") then print(x:GetFullName()) end end end) end
Won’t work too good if you have a lot of modules…

2 Likes

I ran it and it found a script as a virus (it wasn’t so I just ignored it), but then if I scan again the scan icon keeps loading and never finds anything so it just runs for eternity. Is that suppose to happen if it finds nothing? Why not make a prompt saying that it found nothing instead of running for eternity?

edit: it appears a few times it will say Infecton not found, but other times it will run for eternity (its been 30 minutes theres no way its still scanning)

Unfortunately that doesn’t work for descendants of RobloxScript locked instances because they inherit the permission of its parent.

2 Likes

Plugins can access RobloxLocked instances? Didn’t know that… :frowning:

The way RobloxLocked instances work is kind of funny, actually. You can get a reference to an object through whatever means (usually GetService or FindFirstChild) and do whatever you want with it, including setting the parent of something to it, but if it’s RobloxLocked you can’t index it directly.

Plugins can access normal RobloxLocked Instances like the CoreGui just fine, but stuff like the CSGDictionaryService requires elevated permissions so you can’t directly index them. That’s why this plugin is a thing to begin with. I mentioned RobloxScript locked specifically because of this weirdness.

I have a bit of a more in-depth explanation for permissions here if you’re interested. It’s mostly unrelated but it defines script permissions and what RobloxScript means.

They can’t access them or their children through normal means (i.e. game:GetService(“CSGDictionaryService”):GetChildren() will error) but you can set something’s parent to them (i.e. local Test=Instance.new("Script") Test.Source="--No print plz" print("Changed source") Text.Parent = game:GetService("CSGDictionaryService") print("Parented to RL object") wait() Test.Source="--Whoops, this won't work since it is now a descendanct of a RL script context level 6 parent" will change the source (to stop an unremovable Hello world console print) then parent the new script to the RL service but by doing so it will lose access to indexing or otherwise altering the script.) This is an engine permissions glitch that roblox intends to correct but for now a lot of malicious plugins are abusing this to inject backdoors into protected services in order to hide them from the developer and gain server-side execution access for them to execute whatever they’d like into the developer’s game.

6 Likes

I’m having a concerning problem, and without this plugin I don’t think I would’ve found it. Every time I start a new game in Studio and run a virus scan it always detects 2 infections. This can even be a baseplate and it still detects it. So what happens now? Is my Roblox infected or something? How can I get rid of those two viruses?

Check your plugins, try removing them one by one and seeing which you have to disable to stop this plugin from detecting them.

1 Like

Ah that fixed it, thanks. I found a phony Plugin and got rid of it and the viruses don’t pop up anymore. I still have a problem of being unable to show a DestroyedMenu though. I don’t know whether if it was because of a bad plugin or if Roblox Studio was missing some files. Here’s my output when I right click on assets from the ToolBox.

16:25:45.061 - Unable to show a destroyed menu
16:25:45.062 - Stack Begin
16:25:45.062 - Script ‘Plugin_-1.Plugin.Core.Components.Asset.Asset’, Line 152 - field method
16:25:45.062 - Script ‘Plugin_-1.Plugin.Libs.Roact.SingleEventManager’, Line 41
16:25:45.064 - Stack End

1 Like