1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 12:45 am May 21, 2026

Forum Moderators: phranque

Message Too Old, No Replies

what is NGINX trying to tell me?

         

Megunticook

2:29 pm on Jan 14, 2020 (gmt 0)

5+ Year Member



Have a WordPress site running on Ubuntu/NGINX, going through my NGINX error log, came across some entries that I don't fully understand. Wondering if somebody can clue me in as to what the problem is and how to fix it: 

[error] 5487#5487: *95856 FastCGI sent in stderr: "Unable to open primary script: /usr/share/nginx/html/installer-backup.php (No such file or directory)" while reading response header from upstream, client: 172.31.44.66, server: mydomain.com, request: "GET /installer-backup.php HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.2-fpm.sock:", host: "mydomain.com"


Is PHP-FPM looking for a PHP file named "installer.backup.php" and not finding it? What is this file and why is it needed? Is this some sort of malicious attacker looking for this file to exploit?

Any advice appreciated.

not2easy

4:16 pm on Jan 14, 2020 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



My advice would be to review your domain's access logs to define what activity is related to this error. Then you can know the cause of it and have information in hand to make a decision about it.

It appears to be one of many common attempts to access non-public information. By reviewing your logs you can see what UA (and from where) caused the error.

phranque

10:17 pm on Jan 14, 2020 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



That IP address is a local / private address so the request is coming from a server within your network.

lammert

11:47 pm on Jan 14, 2020 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



A call for the installer-backup.php file is a known attack vector to trigger a vulnerability in WordPress sites with the Duplicator plugin installed. Your error message indicates that this PHP file is not present, and that probably you are not affected by this vulnerability.

Welcome to the hostile world of automated scripts scanning sites for security holes. If your site gets more widely known and comes on the radar of the hackers, you'll see more and more of these scans. I see daily thousands of this type of random attempts to access files which may contain vulnerabilities.

Megunticook

5:17 pm on Jan 17, 2020 (gmt 0)

5+ Year Member



I figured this was a malicious probe looking to exploit a vulnerability. Thanks for confirming.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 12:45 am May 21, 2026