Virus affecting scripts

This warning appears on both the client and server logs - I think it’s a virus due to it mentioning “haxed”. It is preventing certain functions in server scripts from running / working despite the scripts not showing any errors.

Things I have tried:

  • Searching all scripts for any words in the warning
  • Disabling all scripts in the game (warning still shows)
  • Publishing the game to a new place (warning disappears)
  • Disabling all of my plugins (not sure if it could be others’ on team create but I’m not able to contact them at the moment, it may possibly be due to a plugin)
  • No free models used as far as I’m aware
  • Searching all scripts for any malicious require() and getfenv() functions

How can I fix this?

2 Likes

What was your strategy for searching and disabling all the scripts?

My strategy was to use the Find all / replace all function

Does your game have anything enabled in the security section in game settings, and when you published the game to a different place, did the place have the same security settings?

I doubt you’re going to find: FirstCommentCallsAreStupid
In anything other than a script or plugin.

That was an oversight on my part, so it didn’t contain the same security settings. However, everything in the security section was enabled, and it persists despite disabling them.

As far as I can tell, you tried everything I would have tried to look, but you should definitely check your team member’s plugins and recent tab in their tool box to see if they inserted any free models when they are able to be contacted again.

If your team denies having any potentially malicious plugins, I’d recommend making a copy of the game and gradually removing areas of workspace and any scripts, periodically checking if you’re still encountering it. If you’re down to a baseplate and you’re still seeing those messages, then I’d suggest sending a place file here in case someone might be able to figure it out.

Edit; In the meantime, if you haven’t already, I recommend setting your game to private and disabling HTTP services.

Thanks for the suggestions. I tried changing all the developers’ access from Edit to Play and the warning persisted; I’m not sure if that disables their plugins though. It also still shows regardless of whether HTTP services are on or not. I’ll try stripping the game down to a baseplate to see if the warning still shows, and if so I’ll share that copy here.

Disabling HTTP services is more of a countermeasure against remote code execution in the event that the backdoor allows it.

The concern here with plugins is that a malicious plugin inserted something previously. There’s no way for them to be connected to the game and interact with it at runtime. If it was a plugin, then it planted something and that’s what we’re looking for. Though if something was inserted by a plugin, regardless if you remove it, it will be inserted again whenever the developer with the malicious plugin edits your game in studio again.

I just stripped the game down to a baseplate (removing everything from explorer) and the error still shows, but it doesn’t show on a downloaded copy. If it was inserted as a plugin, where could it be hiding?

A plugin could pretty much add the script and the parent it to nil so you’ll never find it. Since it’s not showing up in the copy, do me a favor and play your game normally. Does it still appear, or will it only show the message in studio? iirc downloading a copy downloads the last published version, but I may be wrong.

The downloaded copy is definitely just the empty place but I published it and downloaded it just in case. The warning still shows in studio and also playing normally.

I see. Might be a stretch, but try publishing the downloaded copy and see if the issue comes back up, or if it’s completely unique to the other game.

The warning doesn’t show when publishing the downloaded copy to a new place

Really interesting. In that case, it’s likely that the issue is indeed that a malicious plugin inserted a script, and it’s hidden or parented to nil so it isn’t being downloaded along with the place. I’d recommend trying downloading a copy of the updated game, then re-publishing it and seeing if that makes the message disappear. You may have to end up publishing as a new place entirely.

I just published a template Roblox Baseplate, overwriting it and the warning still shows. Even if a malicious plugin inserted code, shouldn’t doing this remove the script?

Did you publish from the downloaded copy, or the place you’re experiencing this issue on?

I initially published using this default Roblox template
image
But publishing using the baseplate I created from the original game still shows the warning

1 Like

Instead of using the “Download a Copy” setting, try using “Save to File” instead. Does that still yield the error?

Ignore me, I forgot that experiences with team create replace that option with “Download a Copy”. yikes. Alright, this is rough. To make sure I’m understanding:

  1. This doesn’t happen on copies
  2. Re-publishing the game replicates the issue regardless if you publish from the original or a copy
  3. There are no visible scripts or possible sources for what’s happening.

Plugins bad. no no use sketchy ones. There’s not really much I can recommend to do here, unless someone more experienced with things like this would like to pitch in. Either way, can you send the copy you made here so I can take a look?

The best thing might just be to roll back versions until it doesn’t happen anymore and make absolute sure that the plugin that caused this is no longer installed.