It was a 'heads-up' to everyone to keep an eye of what portmapper is doing.
(Original article was aimed more at the Service industries but also of interest to anyone who may be running their own web server.)
It is a common port used on many systems as part of running everyday applications. (uPNP (as you stated), Remote Procedure calls)
Random quote on Portmapper:
The port mapper (rpc.portmap or just portmap, or rpcbind) is an Open Network Computing Remote Procedure Call (ONC RPC) service that runs on network nodes that provide other ONC RPC services.
Version 2 of the port mapper protocol maps ONC RPC program number/version number pairs to the network port number for that version of that program. When an ONC RPC server is started, it will tell the port mapper, for each particular program number/version number pair it supports for a particular transport protocol (TCP or UDP), what port number it is using for that particular program number/version number pair on that transport protocol. Clients wishing to make an ONC RPC call to a particular version of a particular ONC RPC service must first contact the port mapper on the server machine to determine the actual TCP or UDP port to use.
Versions 3 and 4 of the protocol, called the rpcbind protocol, map a program number/version number pair, and an indicator that specifies a transport protocol, to a transport-layer endpoint address for that program number/version number pair on that transport protocol.
The port mapper service always uses TCP or UDP port 111; a fixed port is required for it, as a client would not be able to get the port number for the port mapper service from the port mapper itself.
The aim of the people (mis)using this port is to slip past the standard protections in place because portmapper has to be let through firewalls etc in certain circumstances for many systems to operate.
(i.e. if you cannot call port 111 you cannot discover the port numbers you are allowed to use)
It is an extension of the idea to use common ports in 'bad' ways under the hope that things may sneak past the 'gate-keeper' because the port used and/or protocol used is not expected to be hostile.
The fact that the number of attacks are increasing shows that it is considered to be a target worth going for.
Thought it might be useful to warn anyone who may be running their own web server etc as it may be unexpected.