Suggestion 1) Install a snort or some other network intrusion box.
Suggestion 2) Mirror whatever ports are being used by the two NT boxes to the NIDS and do a complete packet dump. Disable the software, 'watch' what the person does.

Suggestion 3) Backups of critical systems are essential and this is why. Take the data from the web sites and scrub the system. That is the only way you can be 100% sure that the intruder has been removed.

Suggestion 4) Make sure that all your systems are patched and up to date.

Suggestion 5) Do a complete trust analysis of the systems in question in relation to the rest of your network. It is possible their access could have spread throughout your network using any trust relationships. Perhaps that is even how they are getting into your server.

Suggestion 6) Don't change or alter anything before this. Use the NIDS to grab more evidence, ghost the drive (make 3 copies). One copy for you, keep original unaltered, last copy for the police. Report the crime. Use the last drive to do more analysis. Do not change the original drive, it will be important evidence.


Hopefully from suggestion 1 & 2 you will see how the person keeps getting in. You have alot of work to do. I am sure more will come to mind in a bit, but that is what hit the top of my head.

/nebulus

EDIT: Suggestion 7) After ghosting the drives and making backups, try something like nessus to do a vulnerability check of your systems, maybe it will turn up how they got in.

Good suggestions on checking router/firewall logs and/or policy.