[Samba] strange folder behavior

[Christopher Wensink]

Samba folks,

I have one of the owners (and myself) concerned about some file 
re-arranging that we just observed.  We run one main File server running 
Samba 4.10.16 on CentOS 7.9.2009 (Core).  Client computers are all 
Windows 10 Pro.  This is a stand alone file server not a domain 
controller, there are no DC's in this environment.  Each user has their 
own private Drive (Mapped as H:) on Windows.

15 minutes ago the user called me because he couldn't find an important 
folder he called "my documents H drive".

I ran a search on the server and I found the folder existing in a 
sub-folder of his H: called sales1 or salesl  (with the Putty Fonts on 
windows it's very difficult to distinguish lower case "L" from the 
number "1")

He swore to me that he did not create that folder or move his "my 
documents H Drive" into this sales folder.  The datestamp shows that it 
was his username that created the folder at 1:13 PM in my timezone.

There is nothing in the log file specific to his PC name in 
/var/log/samba/log.<pc-name> - it is 0 bytes.

I'm running antivirus / anti-malware scans on his machine now.

He's since moved his folder back to the root of his H: drive where it 
was, and where he frequently access the file) and removed the folder 
sales1 where it was residing.

Is there any other place in the system that I can look for evidence of 
foul play, or how else can I determine how this mysterious folder got 
created and his critical folder got put into it?

Chris

-- 
Christopher Wensink
IS Administrator
Five Star Plastics, Inc
1339 Continental Drive
Eau Claire, WI 54701
Office:  715-831-1682
Mobile:  715-563-3112
Fax:  715-831-6075
cwensink at five-star-plastics.com
www.five-star-plastics.com