Package: exim4 Version: 4.80-7+deb7u2 After updates exim to version 4.80-7+deb7u2 exim.c change CWD dir to / on startup.
Checking cwd=/some/vay was a popular heuristic for identifying the source of malware sending email. The output would look something like this: 2016-03-04 11:46:22 cwd=/root 9 args: /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root Now it looks like this: 2016-03-04 11:46:22 cwd=/ 9 args: /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root
