@Rob
Thank you for your advices! About /tmp, yes, you are totally right, I should remount it with noexec,nosuid. And I am now also monitoring /tmp using auditd. I checked all the sites configured in nginx, didn't find any unknown file.
Actually I may have found the cause: there is a solr...