hey there,

I have a linux server running SME 6.0 Linux and lately users have been complaining that certain files have gone missing or have been reverted to older versions of the file. These files are stored in i-bays (samba shares) and are accessed by windows users inside the network. I don't know if I've been comprised or if some dodgey worker is deleting these files and / or replacing them with older versions.

Is there any way I can view logs of when someone has logged in via ssh, and also if there are any logs for samba usage?

Users have been very vauge in the description of the problem so I've asked them to compile a list of files that have gone missing so I can restore them off a previous tape backup.

From my knowledge, files can't simply go missing like that. Server was working for over 3 weeks before this started to occur and this leads me to believe it's caused due to some human intervention.
If I'm also being vauge in the description pls tell me and I'll try and fill in the blanks.

You can use the last -i command to see recent login activity. Samba should log all activity to /var/log/samba/ . If that doesn't exist, check your smb.conf file to see where it's logging:

# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/%m.log

Sounds more like a user doing something stupid (intentionally or not) rather than a cracker. I find it hard to believe someone would go through the trouble of breaking into your system and the only thing they do is delete files in a smb share and replace them with older versions.