Thanks for your hints. Furtunately the issues disappeared. However I would like to know how to troubleshoot it in the future.
The mentioned command produces this output (not interesting lines filtered out):
bill3:~:# ss -nlt
Recv-Q Send-Q Local Address:Port Peer Address:Port
0 128 *:111 *:*
0 128 92.240.244.176:80 *:*
0 5 :::53 :::*
0 5 *:53 *:*
0 1024 127.0.0.1:2812 *:*

What is Recv-Q/Send-Q? Is it the listen backlog queue length? How can I see if the queue is full? On this new server I have it 128, but on old it is 511 (for both apache and nginx). Why?
/proc/sys/net/core/netdev_max_backlog is 1000
/proc/sys/net/ipv4/tcp_max_syn_backlog is 1024

And what is the number of ESTABLISHED sockets without process associated? Are these the connections waiting in queue to be accepted by nginx? I have these values now (while nginx is responding within few ms to server-status and handling about 150 conn/s):

bill3:~:# munin-run netstat_tcpstates|grep SYN_RECV
SYN_RECV.value 127
bill3:~:# netstat -ntp|grep EST|grep -- \ -|wc -l
60