J-bot 6000

Q: AirPlayXPCHelper tries to connect to unknown home network

Why is the process "AirPlayXPCHelper" on my MBP trying to connect to an IP address outside of my home network?

 

The IP address it's trying to connect to is a typical home network address (e.g. 192.168.0.xx) but this IP address is different than my current home network addresses (e.g. 192.168.1.xx).

 

My MacBook is connected to my home network via wi-fi as are all other devices in my home.

 

I have no wi-fi or AirPlay devices with the address 192.168.0.xx on my network.

 

All connected devices are accounted for and all have been permanently assigned IP addresses.

 

All addresses on my home network are 192.168.1.xx, not 192.168.0.xx.

 

So why is AirPlayXPCHelper trying to connect outside of my home network? Is it trying to connect to a neighbour's AirPlay speakers or some other device?

MacBook Pro (13-inch Mid 2012), OS X El Capitan (10.11.1), 2.5 GHz Intel Core i5, 16GB RAM

Posted on Oct 22, 2015 12:29 PM

Close

Q: AirPlayXPCHelper tries to connect to unknown home network

  • All replies
  • Helpful answers

  • by DavesBlend,Helpful

    DavesBlend DavesBlend Dec 13, 2015 12:25 PM in response to J-bot 6000
    Level 1 (5 points)
    Dec 13, 2015 12:25 PM in response to J-bot 6000

    I am seeing this as well. I originally thought it might be some form of malware. Apparently there are three ranges of IP address that this occurs with. In my case I am seeing an outside network access in the 10.0.0.x range. The following link shows a bit more on the problem:

     

    http://apple.stackexchange.com/questions/217253/little-snitch-reports-outgoing-c onnections-for-airplayxpchelper-for-wron…

  • by rrovr5,

    rrovr5 rrovr5 Dec 13, 2015 12:00 PM in response to DavesBlend
    Level 1 (0 points)
    Dec 13, 2015 12:00 PM in response to DavesBlend

    I Also am experiencing this it was persistent on connecting . So much that I

    had to disconnect from my Home Network and yes it had to be Malware because

    LIl snitch wasn't even reacting to it . I have looked into this thru respected Mac Sites

    and they state that El Capitan has a Exploitation and Apple has no clue on how to fix it .

     

    I Have tried calling Apple for help and yet to hear back from them . There is nothing of Importance

    that I will lose if I do a clean Install but I am not too savoy on securing my Mac . If per a clean install

    will it completely erase all keychains and traces of this Malware ? Also do I really need to consider buying a

    virus protection has it come to this ? IMac late 2013 El Capitan

  • by J-bot 6000,

    J-bot 6000 J-bot 6000 Dec 13, 2015 12:23 PM in response to rrovr5
    Level 1 (0 points)
    Dec 13, 2015 12:23 PM in response to rrovr5

    Do you have links to these "respected Mac Sites" you looked through?

     

    How are you detecting this attempted connection if not via Little Snitch?

     

    I am skeptical of your information because it sounds like the common anti-apple trolling and purposeful disinformation I've encountered online over the years.

     

    Please state your sources and supply more details regarding your experience.

  • by J-bot 6000,Helpful

    J-bot 6000 J-bot 6000 Dec 13, 2015 7:30 PM in response to DavesBlend
    Level 1 (0 points)
    Dec 13, 2015 7:30 PM in response to DavesBlend

    I have at least one neighbour that appears to have their iPhone set up as a wireless hotspot.

     

    Is it possible that these connection attempts are efforts to connect to that phone, or attempts to connect to another AirPlay device in my neighbourhood?

  • by rrovr5,

    rrovr5 rrovr5 Dec 13, 2015 12:44 PM in response to J-bot 6000
    Level 1 (0 points)
    Dec 13, 2015 12:44 PM in response to J-bot 6000

    Jknot ,

    i Am writing this through my iPhone due to not knowing what to do next . Do I perform a clean install will that solve my issue .? This all really came to a boiling point last night my process monitor had 4,000 attempts to connect to a unknown address and from what I remember it also said "file a radar " after every attempt . I assure u I'm not "trolling " I don't even really know what that means 100%. Also not a very clever person in the Mac or computer world I'm just a normal person that uses the Mac for recording and playing guitar . please dont shoot the messenger . I am clueless to what is going on with my Mac . I know my wifi was properly set up by Verizon and was a secure Network as of last night .

     

    I Did not open or download anything nor updated . This phone and my iPad have traces of some kind of tracker based on my diagnostics . I cannot get proper assistance from Apple and really want my privacy and iMac back to normal if theres something I can do to solve this I would appreciate being pointed in that direction . Thanks 

  • by clalun,

    clalun clalun Apr 26, 2016 5:12 AM in response to J-bot 6000
    Level 1 (4 points)
    Apr 26, 2016 5:12 AM in response to J-bot 6000

    Could the be connected to Airplay peer to peer -  Use AirPlay to wirelessly stream content from your iPhone, iPad, or iPod touch - Apple Support.

     

    Could it be an AppleTV that is within bluetooth range that the mac tries to talk to?

     

     

    /Claes

  • by guy.sutton,

    guy.sutton guy.sutton Apr 27, 2016 3:49 AM in response to J-bot 6000
    Level 1 (4 points)
    Apr 27, 2016 3:49 AM in response to J-bot 6000

    I had this exact same issue where Little Snitch detected external AirPlayXPCHelper traffic on port 7000 but treated it as internal traffic. What I mean is that even though I had all external traffic marked as deny, Little Snitch continued to prompt me on each connection attempt until I set it to deny local traffic (just for testing purposes), obviously I do not want to deny local traffic on this port... I do not understand why Little Snitch is interpreting this as local traffic (when the address is not in the local DHCP scope), a bug with Little Snitch perhaps? When I read the post about AirPlay it got me thinking about how AirPlay technology works, as it now uses bluetooth to establish connections between devices. I was unable to repeat the issue with local connections enabled and bluetooth disabled.

     

    Long story short I am now convinced this is simply a bug in Little Snitch and not someone trying to hack into my network.

  • by gegar,

    gegar gegar Apr 28, 2016 6:00 AM in response to guy.sutton
    Level 1 (8 points)
    Mac OS X
    Apr 28, 2016 6:00 AM in response to guy.sutton

    Same problem here.   AirPlayXPCHelper is sending packets every second to the external address 116.129.1.107 using port 7000.   The address is in China.

    Do you have an md5 or sha256 for the /usr/libexec/AirPlayXPCHelper just to confirm that the file has not been modified.

    Using Mac OS X El Capitan 10.11.4 (15E65)

     

    shasum -a 256 /usr/libexec/AirPlayXPCHelper

    5e99b399ff558b0214cbb0acf2f574bb139f27d017cb5006ec95b77fe7f8a1b7  /usr/libexec/AirPlayXPCHelper

     

    md5 /usr/libexec/AirPlayXPCHelper

    MD5 (/usr/libexec/AirPlayXPCHelper) = 14a34e13e9f31a6eb31b4bec8f394e83