I hear a ringtone while working on my laptop and I think I've been hacked or something. I checked netstat -ano and some connections are established. Now googling this out I learned that established means I've been hacked. The state of other connections is Time wait, Listen, Closed wait.
From everything I read here about Established connections and ports, I'm even confused more and more.
Can someone help me out?
"Established" state means that you have some network connection currently active. It may be Ubuntu checking for updates, browser fetching some data in background, ssh connection to some server - everything that connects anywhere over the network needs to have a connection established. So this is absolutely no sign that you have been hacked.
There's no definitive way to tell if you have been hacked or not. Ubuntu in default configuration is pretty secure so chances that you have been hacked are quite small. If you suspect that you have been hacked you should look for unusual processes running on the computer or unusual entries in the system logs (but you have to know first what are the usual ones...).
As far as regarding the netstat output, you should carefully look which connections are established. I show you this on an example. Here is a netstat -ano output from some Ubuntu machine (without the UNIX sockets part):
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State Timer
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 172.28.248.76:35423 172.28.248.100:22 ESTABLISHED keepalive (4261.53/0/0)
tcp 0 0 192.168.137.60:47438 185.125.190.20:80 ESTABLISHED off (0.00/0/0)
tcp 0 0 192.168.137.60:33834 216.58.215.110:443 ESTABLISHED off (0.00/0/0)
tcp 0 0 192.168.137.60:53122 142.250.203.195:80 ESTABLISHED off (0.00/0/0)
tcp6 0 0 :::5900 :::* LISTEN off (0.00/0/0)
tcp6 0 0 :::80 :::* LISTEN off (0.00/0/0)
tcp6 0 0 :::22 :::* LISTEN off (0.00/0/0)
tcp6 0 0 ::1:631 :::* LISTEN off (0.00/0/0)
tcp6 0 0 192.168.33.130:5900 192.168.33.1:57782 ESTABLISHED off (0.00/0/0)
udp 0 0 0.0.0.0:43714 0.0.0.0:* off (0.00/0/0)
udp 0 0 0.0.0.0:68 0.0.0.0:* off (0.00/0/0)
udp 0 0 0.0.0.0:5353 0.0.0.0:* off (0.00/0/0)
You should first check on which ports your machine is LISTENing. Look at the columns "Local Address" and "State". The machine listens on following ports: 3306, 22, 5900 and 80. You can ignore listening port 631 as it listens only on loopback address (127.0.0.1 or ::1), so nobody can connect to it from outside.
If you see any "ESTABLISHED" connection TO those ports (like in the line with 192.168.33.130:5900 in the "Local Address" column it means some computer is connected TO a service on your computer that listens to this port. This MAY indicate a hacking attempt, but not necessarily - it may be a pretty "benign" connection. In this case, I am myself connected to this computer's desktop remotely from another computer, hence the connection from 192.168.33.1 to remote desktop service (VNC) listening on port 5900 (Tip: if you see a random, high port number like - in this example - 57782, 35423, 47438, 33834 or 53122, this is usually the originating side of the connection. Services that you can connect to usually listen on lower numbered ports).
Port 80 is the web server - if you run a web server on your machine you usually know it, and it will be completely normal to have established connections to that port - in this case there aren't any, as the web server is actually serving only one web application and it's currently not used.
Port 22 is the SSH server that allows remote login to the computer and if it is enabled, it is usually a common target for hacking. If you run a SSH server, you should carefully watch out for any connections to this port that you don't recognize. It may be yourself or some other legitimate user connecting to this computer - but if the connection is from some strange place it is suspicious. Running netstat without the -n parameter will give you domain names instead of IP addresses of computers, so you can easier recognize where the connection is from. Here we also don't have any connection to this port.
Port 3306 is the MySQL database server and it should be usually accessed only by the database applications you know. So you should also know IP addresses they will be connecting from. If you see anything unknown connecting to this port, it is suspicious. Again, no connections to this port here.
Another four ESTABLISHED connections besides the one we already discussed are connections FROM this computer to some other computers - to SSH service on server 172.28.248.100 and to web ports 80 (HTTP, insecure) and 443 (HTTPS) somewhere on the Internet (again, domain names would say more where are we connecting to).
Also the example is quite complicated regarding IP addresses in "Local Address" column because you can see three different IP address here (besides loopback address), because this computer has three network interfaces and is connected to three different networks. With a regular home computer, or even a server, you would usually have only one IP address here.
ESTABLISHEDis the state of the connection and simplified it means two machines shook hands and opened a direct line for packet exchange among them ... This happens when you simply check your email or browse websites and isn't limited to hacking ... Hacking can happen even without establishing a connection :-) (technically) – Raffa Oct 19 '23 at 15:09sudo ss -tulpn) and evaluate running processes to ID if there's any "rogue" processes on it. Unfortunately the entire way of detecting 'rogue' processes is VERY difficult and far too complex and broad to answer in a single question/answer. – Thomas Ward Oct 19 '23 at 17:03