Newbie Question on Joe Job

I have about three dozen sites under a reseller account on a major hosting
company. Early today I suddenly began to receive a huge flood (over 5,000)
of bounceback messages from "joe job" spams -- messages sent with forged
headers that made them appear to have come from one of my domains.



I decided to kill the entire site, which was not in active use and easily
replicated, so I terminated the account in WHM. When I did so, the "delete
account" report included the following warnings:



Updating internal databases...Updating ftp passwords for all users

Warning: Unable to determine mmoincc's main domain. Skipping vhosts password
update for this user.

Warning: Unable to determine enfermer's main domain. Skipping vhosts
password update for this user.

Warning: Unable to determine alarmasb's main domain. Skipping vhosts
password update for this user.



and so on, for 10 names. I did not create these users, and have no idea who
mmoincc, enfermer, alarmasb, etc. are. Their presence in the database
suggests to me that the website was compromised by hackers for use as a spam
portal. Is this correct?



If so, does this mean that other sites under this reseller account are also
likely to have been compromised? How do I check for "uninvited" users?



Did I do something wrong in setting up or managing the sites, or is there a
vulnerability at the hosting company level?



Is there anything I can/should do to secure my individual sites and my
reseller accounts, to keep out these intruders?



Less important, I'd be grateful for an explanation of how I can be receiving
these bouncebacks, since in CPanel on this site there is no "default"
address. I have no idea how the bouncebacks sent to" phoney_address @
mydomain.com" wound up being forwarded to me.



Thanks in advance for any advice, help or leads to solutions.

Reposting, minus annoying extra blank lines
-----------
I have about three dozen sites under a reseller account on a major hosting
company. Early today I suddenly began to receive a huge flood (over 5,000)
of bounceback messages from "joe job" spams -- messages sent with forged
headers that made them appear to have come from one of my domains.
I decided to kill the entire site, which was not in active use and easily
replicated, so I terminated the account in WHM. When I did so, the "delete
account" report included the following warnings:
Updating internal databases...Updating ftp passwords for all users
Warning: Unable to determine mmoincc's main domain. Skipping vhosts password
update for this user.
Warning: Unable to determine enfermer's main domain. Skipping vhosts
password update for this user.
Warning: Unable to determine alarmasb's main domain. Skipping vhosts
password update for this user.
and so on, for 10 names.
I did not create these users, and have no idea who mmoincc, enfermer,
alarmasb, etc. are. Their presence in the database suggests to me that the
website was compromised by hackers for use as a spam portal. Is this
correct?
If so, does this mean that other sites under this reseller account are also
likely to have been compromised? How do I check for "uninvited" users?
Did I do something wrong in setting up or managing the sites, or is there a
vulnerability at the hosting company level?
Is there anything I can/should do to secure my individual sites and my
reseller accounts, to keep out these intruders?
Less important, I'd be grateful for an explanation of how I can be receiving
these bouncebacks, since in CPanel on this site there is no "default"
address. I have no idea how the bouncebacks sent to" phoney_address @
mydomain.com" wound up being forwarded to me.
Thanks in advance for any advice, help or leads to solutions.