In the last years, web attacks have been evolving in number and sophistication, targeting governments and high profile companies, stealing valuable personal user information and causing financial losses of millions of euros. Hundreds of attacks and vulnerabilities have been discovered on the Web, and several reports and studies have analyzed in detail how websites are compromised, and how several classes of attacks are performed in the wild. However, none of them has sufficiently studied the typical behavior of an attacker, i.e., the reason(s) why he or she is exploiting websites. This work presents the design, implementation, and deployment of a network of 500 fully functional honeypot websites, hosting a range of different services, whose aim is to attract attackers and collect information on what they do during and after their attacks. In 100 days of experiments, our system automatically collected, normalized, and clustered over 85,000 files that were created during approximately 6,000 attacks. By analyzing the clusters, we were able to draw a general picture of the attack landscape, identifying the behavior behind each action performed both during and after the exploitation of a web application (such as installing a phishing web page, a botnet script, or a local exploit to escalate privileges on the compromised machine.)