Cyber police recovered rootkit that was used to steal 1000 Bitcoins from Online trading platform.They are asking for help to retrieve hidden port that was used to access compromised server.Only clue they can give You is that this rootkit hold a different functions but only one can be used as mentioned backdoor.This will require some skills in reverse engineering and instruction reading but stakes are too high to fail.

Can You help Cyber Police to find a critical clue in investigation?

Open in Ghidra.

Look for interesting functions. Lets look into the accept function.

htons is used for socket ports.

Right click on the hex value in the listing view and turn it into a decimal

The answer is 19997