AirPlayXPCHelper tries to connect to unknown home network

I am seeing this as well. I originally thought it might be some form of malware. Apparently there are three ranges of IP address that this occurs with. In my case I am seeing an outside network access in the 10.0.0.x range. The following link shows a bit more on the problem:

http://apple.stackexchange.com/questions/217253/little-snitch-reports-outgoing-c onnections-for-airplayxpchelper-for-wron…

I'm seeing this from all my El Capitan Macs, both wireless and wired. In my case I see connections to multiple 192.168 networks that are not part of my home environment. There's only one destination IP per network and all my Macs are trying to reach it. I have a firewall on my network that is seeing the traffic, blocking it, and logging it. Nothing I've done has been able to make it stop short of an aftermarket firewall on the Macs themselves.

For those that are curious you don't need LittleSnitch to see the traffic. I can see it using lsof -Pnl +M -i4 | grep 7000. Or, if you want, change the 7000 to a network other than your own. If you run the command as root it will also show the process owner, etc. In fact, I'm not sure if this isn't what LittleSnitch is actually using under the hood.

I Also am experiencing this it was persistent on connecting . So much that I

had to disconnect from my Home Network and yes it had to be Malware because

LIl snitch wasn't even reacting to it . I have looked into this thru respected Mac Sites

and they state that El Capitan has a Exploitation and Apple has no clue on how to fix it .

I Have tried calling Apple for help and yet to hear back from them . There is nothing of Importance

that I will lose if I do a clean Install but I am not too savoy on securing my Mac . If per a clean install

will it completely erase all keychains and traces of this Malware ? Also do I really need to consider buying a

virus protection has it come to this ? IMac late 2013 El Capitan

Jknot ,

i Am writing this through my iPhone due to not knowing what to do next . Do I perform a clean install will that solve my issue .? This all really came to a boiling point last night my process monitor had 4,000 attempts to connect to a unknown address and from what I remember it also said "file a radar " after every attempt . I assure u I'm not "trolling " I don't even really know what that means 100%. Also not a very clever person in the Mac or computer world I'm just a normal person that uses the Mac for recording and playing guitar . please dont shoot the messenger . I am clueless to what is going on with my Mac . I know my wifi was properly set up by Verizon and was a secure Network as of last night .

I Did not open or download anything nor updated . This phone and my iPad have traces of some kind of tracker based on my diagnostics . I cannot get proper assistance from Apple and really want my privacy and iMac back to normal if theres something I can do to solve this I would appreciate being pointed in that direction . Thanks

Could the be connected to Airplay peer to peer - Use AirPlay to wirelessly stream content from your iPhone, iPad, or iPod touch - Apple Support.

Could it be an AppleTV that is within bluetooth range that the mac tries to talk to?

/Claes

I had this exact same issue where Little Snitch detected external AirPlayXPCHelper traffic on port 7000 but treated it as internal traffic. What I mean is that even though I had all external traffic marked as deny, Little Snitch continued to prompt me on each connection attempt until I set it to deny local traffic (just for testing purposes), obviously I do not want to deny local traffic on this port... I do not understand why Little Snitch is interpreting this as local traffic (when the address is not in the local DHCP scope), a bug with Little Snitch perhaps? When I read the post about AirPlay it got me thinking about how AirPlay technology works, as it now uses bluetooth to establish connections between devices. I was unable to repeat the issue with local connections enabled and bluetooth disabled.

Long story short I am now convinced this is simply a bug in Little Snitch and not someone trying to hack into my network.

Same problem here. AirPlayXPCHelper is sending packets every second to the external address 116.129.1.107 using port 7000. The address is in China.

Do you have an md5 or sha256 for the /usr/libexec/AirPlayXPCHelper just to confirm that the file has not been modified.

Using Mac OS X El Capitan 10.11.4 (15E65)

shasum -a 256 /usr/libexec/AirPlayXPCHelper

5e99b399ff558b0214cbb0acf2f574bb139f27d017cb5006ec95b77fe7f8a1b7 /usr/libexec/AirPlayXPCHelper

md5 /usr/libexec/AirPlayXPCHelper

MD5 (/usr/libexec/AirPlayXPCHelper) = 14a34e13e9f31a6eb31b4bec8f394e83