If you can talk to your systems admin, ask them if there's an htaccess script you can call in the cgi-bin folder. Then you place a small htaccess call file in any folder you want to keep people from linking off-site. The file has the allowed referrer (your server) and the file extensions you allow the referrer to load. All other (disallowed) referrers are blocked from loading any files. Javascripts are useful until the thieves locate the path to the files they want in unprotected folders with no htaccess call.