#Anti-Exploit Help

I'm trying to get into anti-exploiting. An exploiter entered our RP game and printed these in the server console.

Background:

• Our game contains only one 3rd party plugin/asset, Adonis (latest build, from official github). Everything else was custom made by our team.

My questions:

• How was the player able to add server scripts to their character and run it?
• Does Adonis have some sort of backdoor or hole exploiters are using? If so, how could I patch it up?
• Since the script originally ran from the player's character, can I just check for any descendant added in the character and flag it if it's a server script?
• Follow up question to the previous, is this the only way exploiters can gain access to the server? If I implement it, would it stop all exploits related to adding scripts to their character?

I'm assuming MakerModelLua is not the exploit itself, but the admin plugin the exploiter injected using their exploits.

More logs:

I'm trying to ctrl+shift+f everything in the logs, like the Requiring asset and such, but can't find anything. I regret I didn't use an in-game explorer viewer when the exploiter was around.. I feel like that would've helped me figure this out

How add serverscripts: backdoor or you did a big dum somewhere

Does adonis have backdoor? Who knows. if it does you can either try to fix it yourself or use a different admin system.

"Can you just"? no. it is part of it but there are always ways around it.

The only way exploiters can execute arbitrary code on your servers is if you let them.

you probably have a lua backdoor from toolbox

i suggest ctrl+shift+f for 'require' and 'getfenv' and make sure there are none unaccounted for

if adonis requires 3rd party you shit out of luck and you'll have to trace that the hard way or just ... don't use code that does this because it will always be a liability

e.g if adonis author ever gets hacked, every server using it will be vulnerable

same for any other that requires 3rd party

but 99% chance it's something you got from toolbox

We seldomly use models from the toolbox. If we ever do, we curate it and strip it off every script it contains and just keep the BaseParts.

All our systems (except adonis) were made by ourselves, so I'm fairly confident on the server scripts we made. I'm starting to think that that's the backdoor

I searched for getfenv, nothing came up, and require either looks clean or I don't know what I'm searching for. Do I look for require( lines that have variables instead of constants?

you're looking for require(0000000000) but it could be passed in by variables

a few i've seen are rather cryptic about it

And are these requires in server scripts or local scripts, or both?

Server, right?

and when I say cryptic, i mean the asset id is embedded in the number of letters of each word of some random asset's text description like marketplaceservice:getproductinfo and it interprets the item description as an encoded number like a a a it it the the can for something would be 1112233339

this is a real thing that really exists

But one thing's for certain, they use require?

yeah have to use require or an alias to require (getfenv)

you cannot alias or shorten both of them like ["re"]"quire" is impossible lua won't interpret this

I see.. so that's the main entry point exploiters use to access the server and inject stuff? I just have to find the culprit in our existing scripts?

i mean

u could prob loadstring

require

with obsfucateed variables

no at the point of loadstring you already have arbitrary code execution

local a = "re"
local b = "quire"

then loadstring

dont need require at that point

then you just search loadstring and same thing

uhh

you shouldn't have loadstring enabled in the first place for exactly this reason

Regardless, nothing came up with ctrl+shift+f'ing loadstring in our game

i mean it is still secure, but if you mess up and leave it unprotected then yea

like if you do remote.OnServerEvent:(function(v) loadstring(v) end) then you frankly deserve to be hacked

also random guess

if exploiter can execute server code

then they gonna know what game is it

so good chance they use http service

wat

(unless its like wide market)

oh yeah httpservice helps a lot but it is not strictly necessary

is why you should leave it off unless you have a good reason

Oh, yea we actually have HttpService enabled in our game. We use it for discord webhooks. Is that frowned upon ?

mind you all of this applies exclusively to the server. the client can do whatever they want and there's nothing you can do to stop them. only the server can be locked down.

that's not to say ignore the client, you can try to make it harder for skids to cheat but you can't outright stop it

But.. I think I read somewhere that HttpService can only be used in the server

server is more important anyway

I just want to at least block the generic exploits that can be used on most games. If they gonna exploit in our game, they should at least take the time to create a custom one for it

making anticheats is not for beginners i suggest you hire someone or ask your team to look into it

and i'm not going to go into the ins and outs of making one here, one because i haven't made one yet and it's kind of a low priority, and second you aren't paying for me to do that work ;p

Well yea, that's fine, I'm trying to get into anti-exploits myself. This is my first discussion about it

although i did put a crude skid trap in one of my games and caught a confirmed cheater in its first 1000 players

good old remote?

yep

just a random remote with "FreeAdmin" that only bans you if you fire it

Sorry, what does "skid" mean? I'm guessing it's the client searching for any and every remote available?

i remember when ugc wasnt public, there were many games where people give codes on discord and they get ugc if first (it was big)
And mf had whole ass channels with webhook to shame anyone who tried to exploit, it was so many

scripter kid

Ahh I see

most cheaters are skids they use other people's cheats and never make their own

But is that a thing tho? Searching for any remote they can use in the workspace

you can often stop the skids with a bit of monkey brain checks but you can't stop actual developers, only slow them down

Exactly the players I wanna block

exploiters can do EVERYTHING that localscript can

results speak for itself

I don't mind the actual developers. In fact I'd be honored if they waste their time making an exploit specifically for our game

I just want to stop the "skids" as you put it

so remotes everything

obviously it's not the only problem

shoulda shadow banned and kept the new rewards system

anyway i think i've covered enough to answer your question here, you need to know what you're doing to stop cheaters

the 5 robux per or whatever

That's actually funny, I'll add one for mine as well

it was just something in the interim. I am currently working on my game framework which will have fully featured admin system

anticheat is obviously going to go along with that.

Just to recap...

So to do anything in the server, exploiters have to use require, regardless of how they hide or obfuscate it? So I should really just check for any suspicious require?

correct. require or getfenv

Gotcha, thank you so much! 😄

getfenv lets you do the ["re"]["quire"] in a way that you can't simply keyword search "require" so you have to check both

I'll watch out for those too then, thanks!

oh my god

Woah. Big red flag as you should know by now.

I suggest you look into all remote events you use . The biggest leakage of exploits like this is not emphasizing on security in remote events.

remote events are not going to allow arbitrary code execution on the server

unless you have loadstring enabled and connected to a remote

which is usually unlikely

Definitely not arbitrary code execution

You’d be surprised in some specific cases it does

i’m having the same issue
i’ve already searched the basics,
“require, getfenv, eriuqer” and many, many, more, no defender plugin was able to find it either. this backdoor i have also doesn’t let me say “ban” or “kick”, however, i can say them with Uppercase K and B

what you mean 'doesnt let you'

y'know i offer virus cleanup service for a fee

coz it's one thing to search the right keywords, and another thing entirely to actually interpret the results

it replaces with blank

and like the word will not show up anywhere in the game no matter how u try to type it

maybe your admin system idk

bit of an odd backdoor

blocking the text in chat doesn't do anything ?

not being able to type ban or kick brings me back to the old days

this is a known backdoor brochaha

it’s odd but really widespread

and for a long time too

apparently it's probably just a bad copy of adonis

unofficial version

with backdoor in it

lol

i’ve been using the same adonis since like 2022

didn’t have this problem until august

oh really

aka outdated adonis

well i installed a new one still having the problem

it’s not the admin system

everyone is saying it is but it’s not

There's an adonis bypass script circulating the internet for well over a year now and it still isn't patched til today. It only takes a quick google search for a kid to get the script and load it in

I decided to ditch the system entirely and created my own admin commands system btw

Just because it's the latest version doesn't mean the maintainers patched the problem with the latest updates

well i can check for a fee ;p

did that fix your issue?

using your own code instead of 3rd party is a guarantee that things will work, coz you make it yourself

i’m nowhere near that advanced to craft my own admin system

exaaaactly

making this question pretty much moot

of course it would fix the issues if you could make this stuff yourself

well what if it’s not the admin system

same reason i dont have these issues, i make all my own stuff, and even if i were to use 3rd party, i know enough to understand what their code does

well i've made an offer

never use toolbox code without checking it

i don’t touch toolbox

must’ve been one of my devs, OR a plugin

malicious plugins are far, far worse than backdoors

malicious devs are well...

you've kind of lost before you already started

that's why you don't accept rando devs into your projects

like these people for example: #📜︱scripting message
#📜︱scripting message
#📜︱scripting message
#1424630655442227303 message
and anyone who offers to work for free