im having a strange issue.
A customer of mine using wordpress apparently from a plugin/addon/whatever (and without his knoledge) use to create file in /dev/shm/.svn/ with some executable (that cannot be executed since nosuid noexec in tmpfs partition) files with some ips in those files.
As a workaround i use to chroot that folder and chmod 700.
Ive tryed to search in user php pages for .svn folder or filename folder (that apparently files are random named) but i didnt figure it out.
Also i did check apache log and error for that domain (and subdomains) without success so… what i can do to find out which page and which plugin do that and why?
Thanks everyone who may give 2 cents