Pages of my friend's web sites were overwritten and inserted malicious javascript code. Google's alert message appeared on one of those sites, so I just thought someone reported the site as infectious by ill will.

I looked for tips to ged rid of it, and investigated suspicious files on the server. Then I found "log.php" which includes web shell function (and all crack tools) based on php. The script can hack files and database, and even brute force codes are inside it.

I guess it was infected via theme file of WordPress. A part of library files in the theme "arras", "timthumb.php" has vulnerability. They attacked it and inserted the code.

See also the site "Tips for removing website malware -- Redleg".