How could you have been hacked from the Internet? Wow, theres just too many ways to mention.
And anyway, I don't think you need to reproduce the attack, you need to perform an Incident Investigation and close up the holes you find.
The first thing Id examine is whether any of your systems is/was contactable directly from the Internet. Did you have a Firewall in place, and if so what ports/systems were unfiltered in the firewall, were your systems using NAT, and if so was any port forwarding in place. If you were using neither Firewall filtering nor NAT, then thats the first thing you want to fix. Make sure only required services are available from the Internet, and make sure any required services are hardened, patched and tested to confirm that they are not vulnerable.
The next most likely possibility is client side attacks. Opening a bad email, visiting a bad/compromised web site, opening a bad document could all be possible ways to get a client system (or a server system too if you are using it for client style operations) infected by malware. System patching (including third party applications) and a good auto protecting AV program is what you want here. Something like Secunia Personal software Inspector (or the Enterprise equivalent as appropriate) is good for determining whether your systems are appropriately patched. Its way easier than you think to get infected in this way - I have managed to get one of my test VMs compromised without even trying, and that is with close to zero contact with the big bad Internet.
Other possibilities are infection by a local file infector virus (copied from USB/CD/etc) or regular old local unauthorised access by a person.