im having a strange issue.

A customer of mine using wordpress apparently from a plugin/addon/whatever (and without his knoledge) use to create file in /dev/shm/.svn/ with some executable (that cannot be executed since nosuid noexec in tmpfs partition) files with some ips in those files.

As a workaround i use to chroot that folder and chmod 700.

Ive tryed to search in user php pages for .svn folder or filename folder (that apparently files are random named) but i didnt figure it out.

Also i did check apache log and error for that domain (and subdomains) without success so… what i can do to find out which page and which plugin do that and why?

Thanks everyone who may give 2 cents

Regards