Tedob1 is right. If you need help from this thread then we need lots more detail on the topology of the network and how it connects to other systems, such as the Internet. But for you, the first place to start with is the logs. You should have logs on your servers, workstations and, if you have them, network devices such as routers. Start from the outside and work in loooking for suspicious or otherwise out-ot-pattern activity. Starting from the outside and working in should start to give you an idea of where the attacker broke in. From there you can start to narrow the search the first compromised servers/workstations to see what the hacker did. I'm sure many of us on the forum could provide some help in looking at the logs if you provide network topology details and post the logs.

Regards,

Alan Mott