It’s very possible one of these scripts is placing malicious scripts in your game without your knowledge, if you can’t pinpoint it, try uninstalling them and ensuring that you reinstall the legitimate versions of those plugins.
pcall(function()
for _, v in pairs(game:GetDescendants()) do
if v:IsA("BaseScript") or v:IsA("Script") or v:IsA("LocalScript") or v:IsA("ModuleScript") then
print(v:GetFullName())
end
end
end)
Execute this in command bar, and see in the output if there is any lua containers (aka scripts) that you don’t recognize.
And that affects all versions? Because I revert to old versions and continue there
Reverting to old versions won’t do anything. Plugins are installed to Studio, not to the specific game. Uninstall the plugins, reinstall legitimate versions, and then make sure malicious scripts from your old plugins aren’t hidden somewhere.
If it’s reverted, then there is 2 scenarios that I can think of, it’s a code that was hidden and it waited for a certain time/date to pass and make itself present, or it’s a plugin injecting the code. Could you dm me the place so I can investigate it myself?
I don’t see any script I don’t recognize
Okay so, I don’t know. It’s probably hidden in one of the recognizable scripts. Are you comfortable with direct messaging me the place so I can do some investigation myself and tell you what I think that it’s the problem? It’s fine if you don’t.
1 Like
I already uninstall plugins but continue there
Like I said, make sure it isn’t hiding it’s scripts in any of your Storages. Make sure the only scripts in places like ReplicatedStorage and the PlayerScripts/GUI are scripts you made.
1 Like
I see the problem. I am gonna clean up the place. There is scripts that contain obfuscated require functions.
Nope, I check and, all is mine,
1 Like
I’ve cleaned up the place. It should be mostly virus-free. The main problem was free scripts (free model scripts).
Following infections were:
- Spread
- Vaccine
- Welder
- Hoverboard script (obfuscated require leading to infection)
After removal, none of the described issues were no longer present. To avoid future problems like this, don’t use free models or check them properly before using them.
4 Likes
Nicely done. I also never require by ID …I want the unchanging code that I can review myself.
1 Like
Require scripts in the viruses changed overtime. Here is example:
require(0000000)require(0000000 * 0)require(0000000 * 0):Run()getfenv()["\000\000\000\000\000\000\000"]getfenv()[string.reverse("\000\000\000\000\000\000\000")]
There is endless possibilities, but those are common ones. You can use require() by the id, but make sure you require a trusted script from a trusted developer. Require isn’t evil, the code that is required might be.
4 Likes
I have heard of this happening multiple times recently, I suspect it’s from plugins. It’s very important you make sure the plugins are from the actual creators: sales #, creator account creation, visits, followers, plugin creation date. Etc. most plugins with the NEW UPDATED tags are fake.
I reccomend you go through your plugins and really check to make sure the plugins are the real ones as it can be injecting scripts.
Yeah I’ve seen the bytecode ones as well.
Call it paranoia, but I tend not to trust people; that doesn’t mean they aren’t trustworthy. All it takes is for a hacker to get access to the module owner’s account and change the code behind it to really cause a lot of problems. Or the developer could suddenly “break bad.”
These cases are probably very slim, but I don’t like to take those chances.
Very true and is why I refuse to run code that I can’t see before running it.
[EDIT] The main point is that requiring a module by ID can be perfectly safe one day and perfectly virus-filled the next. You have no control over updates the module owners make.
I have the same problem too. I tried lookin for scripts with the require and a bunch of numbers. I did find some but it didn’t stop the problem.
Sounds like a plugin/script backdoor. The best way to get rid of this is to uninstall all your plugins (rather they are trustworthy or not, the creator could’ve gotten hacked), check all the scripts and GUI’s, and then slap the game into an .XML file and try to see where it is, and extract it. Be very careful and save every part because if you mess it up, it can be catastrophic.
Also (like a comment above this one said somewhere) make sure to look for requirescripts, if you added require codes, though don’t recognize one, then paste it into an asset link and see what the model was.
This is a very good plugin to use for backdoors, though if its a plugin or this doesn’t detect it after a manual check, really your best way is a .XML file.
Remember that plugin is the only plugin that works in studio live, its the most accurate, trusted developer made it, its the best virus checker plugin you can get right now, though you should still do manual checks even after that scans your game.
3 Likes
Would like me to investigate your place? Just dm me. After investigation I will tell you what was causing the problem. I have nothing to do anyways lol.
1 Like
The same virus has been confirmed here: