I use the GOTMLS Anti-Malware plugin on a number of sites. Within the past few days, it has started flagging css.php as a "known threat". I contacted the developer of GOTMLS and sent him a copy of css.php for evaluation. His response is as follows:
"I just added this definition because I found a new threat that includes a CSS file but the problem is, the CSS file contained malicious code that would then be executed if it was invoked with the include statement. My feeling is that the developers of that theme should change their code because it is a security risk. They should be using the echo file_get_contents instead of include because then there would be no chance of executing PHP code that might be contained in that CSS file. I know that the theme developers will likely disagree with me because they don't want to change anything and they probably think it's fine the way it is but I've seen this exact method get exploited, which is why I added it to my definition."
In the meantime, it is possible to whitelist the file in GOTMLS so until something changes that will have to be my solution. Passing this along FYI Flynn and any users who encounter this issue.