While analyzing the malicious traffics where attacker got control over the server using a shell or back door and he was performing some command execution i noticed that the webserver is communicating with port 1337. so i confirmed this is that port.
Another way is to track that shell. cause he might try to spawn a reverse shell through this initial shell . On that traffic the attacker's ip and the port should be revealed.
