There is a bug in nginx that allows a normal file to executed as php.

Proof of concept:
Code: 
http://localhost/robots.txt/index.php

Fix:
Open nginx conf and locate:
Code: 
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        location ~ .*\.php$ {
            root           html;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;            
            include        fastcgi_params;
        }
code maybe diferent on your file because I edited mine, looking for "Pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000" should give a location similar to mine.

Add after:

Code: 
        # http://www.80sec.com/nginx-securit.html
        if ( $fastcgi_script_name ~ \..*\/.*php ) {
            return 403;
        }

Source (Use google translate):
Code: 
http://www.80sec.com/nginx-securit.html
NewEraCracker Reviewed by NewEraCracker on . Nginx Critical Security php-cgi bug There is a bug in nginx that allows a normal file to executed as php. Proof of concept: http://localhost/robots.txt/index.php Fix: Open nginx conf and locate: # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 location ~ .*\.php$ { Rating: 5