The dashboard will be different from the command line as it doesn't instantly update - you'll need to complete your session for that file to be written to.
If you're seeing several IPs there you don't recognize, especially if they are from countries you don't think should be accessing your system, your account could be compromised. Do you have root access to the server, or only access to the cPanel account?
Providers that sell cPanel licenses should be offering some level of support, although they may not be able to confirm specifically how a compromise happened. We wouldn't be able to guarantee we could find that on our end either.
They should be able to see if they user accessed cPanel through a regular login, which would indicate a compromised password, so that would at least give you something to work from.