Hi Alden,

Thank you for the reply. I am the administrator and only user, which in my case I know enough to be dangerous. I think there are larger issues that was and is happening.
For example, in the past I have had permissions on directories for flexshares. I am constantly under attack which I really don't know why because, I just run a simple website that I use as a sandbox and to track my spinner rides. Also, I use plex media server.

Anyway, I ended up just re-installing clearos on the box with a fresh install.

What I do find concerning is that I got this after turning off the shell server ssh

May 2 03:08:01 server runuser: pam_unix(runuser-l:session): session opened for user cyrus by (uid=0)
May 2 03:08:02 server runuser: pam_unix(runuser-l:session): session closed for user cyrus


May 4 03:22:01 server runuser: pam_unix(runuser-l:session): session opened for user cyrus by (uid=0)
May 4 03:22:02 server runuser: pam_unix(runuser-l:session): session closed for user cyrus

REF: https://man7.org/linux/man-pages/man1/runuser.1.html

So basically, I learned I need to be more diligent in my port forwarding and what servers are ran. I only turn on ssh when I need to use it otherwise it is off.

I don't know who cyrus is or why they are attempting to break in. There is only two logins that are really allowed.

They may have gotten in and altered my ftstab (I believe this is the correct file name) file. It is where my bind mounts are located.

Maybe someone will read this and recognize the same issues.

Also I have seen this,

May 1 11:55:27 localhost login: pam_unix(login:session): session opened for user clearconsole by LOGIN(uid=0)
May 1 11:55:27 localhost login: LOGIN ON tty1 BY clearconsole

That is within the host, I believe and may be normal.

If anyone has any other thoughts, I would appreciate them.

Thank you all!