Tracking Telnet

I experienced an insider hack using the protocol Telnet. The user executed using either the Start>Run command line or the Start>cmd – to get to the DOS prompt.

The hack used our client workstations which could have been any number of Win95, 98, NT, or 2000 workstations.

How do you check out who or what workstation contributed to this hack? I’m trying to work backwards.

Thanks.