What is RoSync?

jake_4543 · February 18, 2021, 2:48pm

The idea that scam plugins have tags like [NEW] and [UPDATED] is pretty far fetched most scam plugins steal a big plugins code and then re upload it, it tricks people into thinking it’s the same plugin. Yeah a few scam plugins have tags like that but you don’t see many with that anymore.

UfoVR1337 · February 18, 2021, 6:18pm

True. Sorry. Although, there’s still a plenty of plugins with mentioned tags. Most of stolen plugins are on the bestselling page of library. Make sure to always look for scams. Those are usually uploaded mutliple times by fake devs, so if you see same plugin multiple times - that’s most likely a scam. Another trait of scam plugins is that they are uploaded by people/groups with similar names all the time; some examples would be: “Plugin Developers”, “Plugin Makers”, “TrustedPlugins”, “[DeveloperX]”, “FrontPlugins”, “Creator Studio”, etc.

So, I think it’s really easy to find a scam plugin. I never really had issues with downloading such. I have no idea why people keep getting “catfished”. Why do they??

Linux_Detected · February 18, 2021, 6:48pm

I heard of rosync before I want to look up for the company that provides backdoors to be honest

ScriptingIt · February 18, 2021, 11:32pm

Here are the GitHubs that are the source of the malicous code

github.com

Rerumu/Rerubi/blob/master/Source.lua

local Select	= select;
local Byte		= string.byte;
local Sub		= string.sub;

local Opmode = {
	{b = 'OpArgR', c='OpArgN'}, {b = 'OpArgK', c='OpArgN'}, {b = 'OpArgU', c='OpArgU'},
	{b = 'OpArgR', c='OpArgN'}, {b = 'OpArgU', c='OpArgN'}, {b = 'OpArgK', c='OpArgN'},
	{b = 'OpArgR', c='OpArgK'}, {b = 'OpArgK', c='OpArgN'}, {b = 'OpArgU', c='OpArgN'},
	{b = 'OpArgK', c='OpArgK'}, {b = 'OpArgU', c='OpArgU'}, {b = 'OpArgR', c='OpArgK'},
	{b = 'OpArgK', c='OpArgK'}, {b = 'OpArgK', c='OpArgK'}, {b = 'OpArgK', c='OpArgK'},
	{b = 'OpArgK', c='OpArgK'}, {b = 'OpArgK', c='OpArgK'}, {b = 'OpArgK', c='OpArgK'},
	{b = 'OpArgR', c='OpArgN'}, {b = 'OpArgR', c='OpArgN'}, {b = 'OpArgR', c='OpArgN'},
	{b = 'OpArgR', c='OpArgR'}, {b = 'OpArgR', c='OpArgN'}, {b = 'OpArgK', c='OpArgK'},
	{b = 'OpArgK', c='OpArgK'}, {b = 'OpArgK', c='OpArgK'}, {b = 'OpArgR', c='OpArgU'},
	{b = 'OpArgR', c='OpArgU'}, {b = 'OpArgU', c='OpArgU'}, {b = 'OpArgU', c='OpArgU'},
	{b = 'OpArgU', c='OpArgN'}, {b = 'OpArgR', c='OpArgN'}, {b = 'OpArgR', c='OpArgN'},
	{b = 'OpArgN', c='OpArgU'}, {b = 'OpArgU', c='OpArgU'}, {b = 'OpArgN', c='OpArgN'},
	{b = 'OpArgU', c='OpArgN'}, {b = 'OpArgU', c='OpArgN'}
};

This file has been truncated. show original

ScriptingIt · February 18, 2021, 11:46pm

Also someone told me this was an important part of the script http://45.79.27.137:8080/roblox DO NOT CLICK

Linux_Detected · February 19, 2021, 12:13am

Why what if I click it? Is it an ip grabber?

oreoollie · February 19, 2021, 12:30am

This isn’t malicious code. It’s a Lua bytecode interpreter.

ScriptingIt · February 19, 2021, 12:33am

I believe it is a webhook for the malicous Discord sever but I am not really sure. I would not click just to be safe

ScriptingIt · February 19, 2021, 12:41am

Nevermind it redirects this info to the webhook
idRmWkr

parker02311 · February 19, 2021, 7:23pm

Yeah, there behind a lot of these exploits on Roblox there pretty big.

RFL890 · March 1, 2021, 9:39pm

I looked up .source = in BTR and no findings other than:

BackspaceRGB · March 1, 2021, 9:40pm

Yeah I think it was just a coincidence

EzCreations · March 4, 2021, 1:31am

Recently I just got these inside of my game.

jsnotlout1 · March 4, 2021, 5:19am

Nice job! I joined and posted a warning on the group wall. I also reported the group and all there plugins

RFL890 · March 4, 2021, 3:24pm

Do you know the webhook address? One could hack it and bring it down, just saying

RFL890 · March 4, 2021, 3:24pm

Not asking for it, just asking if you know it

ScriptingIt · March 4, 2021, 7:08pm

Not at the moment I believe this has something to do with it http://45.79.27.137:8080/roblox

BackspaceRGB · March 4, 2021, 7:15pm

Heads up: maybe DONT click that link, could be something malicious, you never know.

RFL890 · March 4, 2021, 11:57pm

I clicked it without reading lol, nothing malicious it seems

ScriptingsMaster · March 26, 2021, 9:49am

RoSync is a backdoor that appears from malicious and usually fake plugins. RoSync can also be found in free models.

The backdoor seems to load a serverside mainmodule. However I personally do not think RoSync is a threat anymore since there is no proof that it is alive anymore. But because we can not be sure of this, it is recommended to remove the infection and plugin causing it.

RoSync can be removed with GameGuard Antivirus made by @deluc_t. (GameGuard Antivirus)