What exactly is a backdoor?

So I’ve been reading about “hackers” aka “skiddies” recently and I was just wondering. What EXACTLY is a backdoor in an Addon? What does it look like? How to prevent them?
(I’m really just looking to expand my knowledge here) :v:

A backdoor is just some code to do sneaky shit, usually they’re not that complex and might open a vulnerability (like letting clients run server side code) or something that bans certain players.

They come in many poisonous flavors.

As far as I know the only way to stop/prevent them is find and remove them.

They’re exactly what they say on the tin. A “back door entrance” to your serverside stuff. They can range from command executors which are relatively easy to block (disallowing client side Lua should stop most of them) to full shell access in the worst case. These ones are a bit harder to stop if you have no knowledge in the area of server security, and usually aren’t found in pure Lua addons.

A lot of the shittacular Lua backdoors are just the exploit code tabbed out of normal view. If your editor of choice allows, you can set tab with to zero and laugh at their silly attempt at a backdoor. The more complex ones are hidden in obfusicsted Lua or modules. Making them a bit harder to remove. The easiest way to avoid them is to only use trusted code, and modules that distribute their code freely.

Someone was telling me that one of their addons had a backdoor that had a command that equivocated to lua_run. This would allow anyone who knew the command to run any kind of lua code they wanted.

Is RunString a backdoor type function? I heard that blocking that will help against most issues but if not it would let any “hacker” be able to run their script.

Pretty common in backdoors designed to run commands sent by a hacker on the server. Blocking it will work, but some addons and game modes might rely on it. And you’d have to hope that your overriding version of it runs before any other script.

an oddly common example of a back door is a script that gives certain players admin powers and such if you were to install said addon/script onto your server.

Maps themselves can also have backdoors in them, too. Hidden lua code in the actual map file that can be triggered by hidden buttons and stuff have been found.

indeed, there has been lua_run entities that will run on a button command or some shit, iirc