There are two main reasons as to how your website can be compromised:
- The computer you are using to upload files to your website has malware/spyware which keylogs your FTP username & password.
- Your web application has security vulnerabilities in its code which allows attacker to access & modify your page to insert their malware.
How to deal with “Reported Attack Page”
If you are using common web applications such as WordPress, Joomla, Drupal, etc. You should update your web application to the latest version and update the plugins as well. Google has a list of basic security measures that webmasters should perform to prevent malware infection.
Below are a list of useful resources/guides on how to cleanup & harden your web applications from attacks.
After cleaning up your website, you will need to submit a website review request to Google Webmaster. Once Google has verified that your website is clean, the “Reported Attack Page!” warning will be removed.
If you don't have a Google Webmasters Tools account, you can create one for free at:
Bear in mind that usually it takes approximately 10 business day before your request is reviewed and the status of your website is changed.