Rocks system under attack

A customer has a Rocks cluster, and it was compromised yet again. We have tried hardening the system, but it appears that there is another vector, associated with key loggers and windows machines.

Sadly this customers problems are largely self inflicted, as they can’t seem to operate without running as root user. I could say more, but I am somewhat pissed off that some of our critical advice was ignored, and then we are the target of some anger for the fact that they ignored the advice and were hacked.
No more free-bees for edu customers. Our time costs money. I have salaries I have to pay, and if people want our time, they have to pay us for it. We helped these folks twice already, without getting compensation, spending ~20+ hours in total, as well as loaning them a node for 8+ months. All of that ends.
[update] We have the vector. See the next post